SRX Services Gateway
Highlighted
SRX Services Gateway

Observing multiple Phase-1 and Phase-2 SA's

‎05-12-2015 08:01 AM

Hello All,

 

There is a strange observation in SRX-1400. We have configured route based point-to-point route based ipsec VPN.

 

We are observing multiple SA's for the same VPN getting established for Phase-1 and Phase-2.

 

Pls check below:-

 

Phase 1 associations:

node0:
--------------------------------------------------------------------------
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
288618524 UP   faf60b8da2614dad  d9f23ae05adf1c75  Main           178.268.203.113  
288618525 UP   deffdc27614849a7  bf3402448ac93544  Main           178.268.203.113  
288618526 UP   9d0330e85147509a  63499b7b1c9fabdd  Main           178.268.203.113  
288618527 UP   f8871915e0700d97  80a23c3529803d13  Main           178.268.203.113  
288618528 UP   785ac064df196063  a7119164acc4d9ea  Main           178.268.203.113  
288618529 UP   5fb591b504bf08b7  7acfb8f69bce7b25  Main           178.268.203.113  
288618530 UP   ba7cc3f294b2cb9d  88f18daeaf120c2b  Main           178.268.203.113  
288618531 UP   29baa733064fbaf1  172a1e8bce4f9a68  Main           178.268.203.113  
288618532 UP   c1f9fa5b99242cf3  8acf30785054abdf  Main           178.268.203.113  
288618533 UP   389bafd50c52cf44  48c455f61ea5b907  Main           178.268.203.113  
288618534 UP   76cd01e2f4508c9e  2787265600087776  Main           178.268.203.113  
288618535 UP   0272ed7659b4198a  5273fafe459d5a24  Main           178.268.203.113  
288618536 UP   895979efd24bb449  8f13fb5410ccc81b  Main           178.268.203.113  
288618537 UP   0efe3d92a10477f0  4230838ae80f1e42  Main           178.268.203.113  
288618538 UP   a8484a5f808936ae  144f986510b09588  Main           178.268.203.113  
288618539 UP   808b50348af2e637  502dfd903620a8ba  Main           178.268.203.113  
288618540 UP   a25d2d086da3f2ea  b7cf2f4292d5f848  Main           178.268.203.113  
288618541 UP   2788427397beabb6  40f91b4c7fe6db05  Main           178.268.203.113  
288618542 UP   bad2c993180b2721  1133bccca275cb0c  Main           178.268.203.113  


Phase 2 Associations:

node0:
--------------------------------------------------------------------------
  Total active tunnels: 4
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131074 ESP:3des/sha1 87f5d5e  1283/  4607984 -  root 500   178.268.203.113
  >131074 ESP:3des/sha1 cfd95039 1283/  4607984 -  root 500   178.268.203.113
  <131074 ESP:3des/sha1 840d9d4  1893/  4607985 -  root 500   178.268.203.113
  >131074 ESP:3des/sha1 d1e9b487 1893/  4607985 -  root 500   178.268.203.113

 

Pls help to identify what is causing this.

 

Thanks.

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Observing multiple Phase-1 and Phase-2 SA's

‎05-12-2015 08:11 AM

Hello

 

Please share the VPN configuration .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Observing multiple Phase-1 and Phase-2 SA's

‎05-12-2015 10:40 AM

Hi,

 

Pls find the config below:-

 

set security ike proposal ike-proposal-Data2 authentication-method pre-shared-keys
set security ike proposal ike-proposal-Data2 dh-group group2
set security ike proposal ike-proposal-Data2 authentication-algorithm sha1
set security ike proposal ike-proposal-Data2 encryption-algorithm 3des-cbc
set security ike proposal ike-proposal-Data2 lifetime-seconds 86400

set security ike policy ike-policy-Data2 mode main
set security ike policy ike-policy-Data2 proposals ike-proposal-Data2
set security ike policy ike-policy-Data2 pre-shared-key ascii-text "xxxxxx"

set security ike gateway ike-gate-Data2 ike-policy ike-policy-Data2
set security ike gateway ike-gate-Data2 address  178.268.203.113
set security ike gateway ike-gate-Data2 external-interface reth1.112
set security ike gateway ike-gate-Data2 version v1-only

set security ipsec proposal ipsec-proposal-Data2 authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-proposal-Data2 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal-Data2 lifetime-seconds 3600

set security ipsec policy ipsec-policy-Data2 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-Data2 proposals ipsec-proposal-Data2

set security ipsec vpn ipsec-vpn-Data2 bind-interface st0.5
set security ipsec vpn ipsec-vpn-Data2 ike gateway ike-gate-Data2
set security ipsec vpn ipsec-vpn-Data2 ike proxy-identity local 223.17.26.144/29
set security ipsec vpn ipsec-vpn-Data2 ike proxy-identity remote 178.268.203.16/29
set security ipsec vpn ipsec-vpn-Data2 ike proxy-identity service any
set security ipsec vpn ipsec-vpn-Data2 ike ipsec-policy ipsec-policy-Data2
set security ipsec vpn ipsec-vpn-Data2 establish-tunnels immediately

 

Pls help as we are not sure why there are multiple SA's observed for phase-1 and phase-2.

 

Thanks.

Highlighted
SRX Services Gateway

Re: Observing multiple Phase-1 and Phase-2 SA's

‎05-13-2015 12:17 AM

Hello ,

 

Can you share the Junos version also .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: Observing multiple Phase-1 and Phase-2 SA's

‎05-13-2015 12:19 AM

Hello ,

 

Also If you can restart the IPSEc key manaagment during off hours and check if you still see multiple IKE SAs, it may be due to the IKe SA not clearing and may be a conmetic bug .  But there will not be any impact .


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....