SRX Services Gateway
Highlighted
SRX Services Gateway

SRX VPN Flapping

[ Edited ]
‎07-22-2015 06:45 AM

Hi all,

 

I've be tracing a VPN connection for the past few days that has been running at about 2Mb/s (everything else goes nearly gigabit speeds). I've been tracing the connection to see where the problem is, and have a few days' worth of logs. Nearly all of ther look exactly like this:

 

 

Jul 22 09:09:19 09:09:19.386588:CID-0:RT:flow_handle_phase1_session_ageout: does_sess_need_time_sync=0
 is_nat_time_sync_state=0, is_nat_sync_recv_nack=0, flow_ha_get_time_sync_retry_count=0
                                        
Jul 22 09:09:19 09:09:19.386588:CID-0:RT:flow_handle_phase1_session_ageout: does_sess_need_time_sync=0
 is_nat_time_sync_state=0, is_nat_sync_recv_nack=0, flow_ha_get_time_sync_retry_count=0
                                        
Jul 22 09:09:19 09:09:19.386588:CID-0:RT:flow_handle_phase1_session_ageout: does_sess_need_time_sync=0
 is_nat_time_sync_state=0, is_nat_sync_recv_nack=0, flow_ha_get_time_sync_retry_count=0
                                        
Jul 22 09:09:19 09:09:19.936163:CID-0:RT:got route table lock
                                        
Jul 22 09:09:19 09:09:19.936163:CID-0:RT:released route table lock
                                        
Jul 22 09:09:19 09:09:19.936163:CID-0:RT:got route table lock
                                        
Jul 22 09:09:19 09:09:19.936163:CID-0:RT:released route table lock

 

Whether there is traffic going through the tunnel or not. To me, it looks like the connection constantly drops and re-connects. Is this the case? If so, is there a way to verify at what point this is happening?

 

Thanks in advance!

 

P.S. - I've attached all the logs (I have the SRX set to have up to 2 log archives, 128 Mb each, they only go back about an hour)

Attachments

6 REPLIES 6
Highlighted
SRX Services Gateway

Re: SRX VPN Flapping

‎07-22-2015 07:26 AM

You need to show the logs for kmd.

 

sh security ipsec ?

sh security ike?

 

Will also hold pertinent information as to the status of the tunnels.

 

--

Also include:

What is on the other side of the tunnel (and do you have access to it)?

What method of authentication is being used?

Highlighted
SRX Services Gateway

Re: SRX VPN Flapping

‎07-22-2015 08:38 AM

Hello,

 


@agentroadkill wrote:

Hi all,

 

I've be tracing a VPN connection for the past few days that has been running at about 2Mb/s (everything else goes nearly gigabit speeds). 


This is usually TCP MSS or fragmentation problem.

 

If "2Mbps" is related to TCP application, add TCP MSS adjust to the config 

 

security {
    flow {
        tcp-mss {
            all-tcp {
                mss 1300; ## should be good enough even for GRE-inside-IPSec nested tunnel
            }
        }

If "2Mbps" is related to UDP application, there are several approaches:

- unset DF bit at source, SRX cannot clear DF-bit

- reduce max.packet size at source to fit the tunnel without fragmentation

HTH

Thanks

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
SRX Services Gateway

Re: SRX VPN Flapping

‎07-22-2015 08:38 AM

Hi deapee, thanks for the help.

 

Following this:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10097

 

I logged the VPN. It looks much the same to me, I've attached it if you wouldn't mind taking just a brief look and confirm there is definitely something wrong.

 

I also took a look at those show security [ike|ipsec], and everything looks as I expect (shows all connections up).

 

The tunnels are IPsec with md5/sha auth, connected to some horrid cisco system on the other end overseen by an admin who won't even talk to me (I don't have access).

 

Thanks!

Attachments

Highlighted
SRX Services Gateway

Re: SRX VPN Flapping

‎07-22-2015 08:48 AM
tcp-mss {
            all-tcp {
                mss 1400;
            }
            ipsec-vpn {
                mss 1387; ## is hopefully good enough for multi-gigabyte file pushes
            }

Smiley Tongue

Highlighted
SRX Services Gateway

Re: SRX VPN Flapping

‎07-22-2015 12:22 PM

aarseniev,

 

You may have been on the right track. They had MSS set to 1460 (would that cause this much of a slow down?). In any case, we're trying to negotiate a new MSS to use on both sides of the VPN. Is there a way to configure that on a per-VPN basis?

 

Thanks!

Highlighted
SRX Services Gateway

Re: SRX VPN Flapping

‎07-22-2015 09:58 PM

Hi,

 

Logs shows the VPN is flaping.

May 31 11:46:16  southwoods-gw kmd[1392]: KMD_VPN_UP_ALARM_USER: VPN INSTANCE-Coxsacki_0024_0026_0000 from 72.10.207.34 is up. Local-ip: 66.193.82.194, gateway name: Coxsacki, vpn name: Coxsacki, tunnel-id: 24, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: 66.193.82.194, Remote IKE-ID: 72.10.207.34, XAUTH username: Not-Applicable, VR id: 0
May 31 11:46:36  southwoods-gw kmd[1392]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-Coxsacki_0025_0027_0000 from 72.10.207.34 is down. Local-ip: 66.193.82.194, gateway name: Coxsacki, vpn name: Coxsacki, tunnel-id: 25, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: 66.193.82.194, Remote IKE-ID: 72.10.207.34, XAUTH username: Not-Applicable, VR id: 0

To confirm you can check the SPI getting changed in show security ike/ipsec command.

 

From logs it looks like, you are having Dynamic VPN.

if yes then,

Do you have 0.0.0.0/0 in protected resource? 

Feedback