SRX

Hi All

Now ,in this Case, throuht command "run show security ike security-associations ",find Multiple Phase-1 SAs for Same Gateway， but IPsec sa only one .

3004773263 UP 691ac4504cbe66b1 b6cefdd4823ef3a8 Main X.X.X.X
3004773307 UP 2dc40fd4e3c5ddcc bf982e36c9c83e01 Main X.X.X.X
3004773338 UP ce4c73912099c55a 34882f8cced11262 Main X.X.X.X
3004773349 UP bf85b71b25c27afe e5709c8d482fc035 Main X.X.X.X
3004773361 UP 97421f142b5f9c3b 0397503b5b79643a Main X.X.X.X
3004773365 UP 8361f655c9e6d1ca 7e95d02e38ada193 Main X.X.X.X
……………………

total number :88

IKE Traceoption, A log is abnormal, contrast under normal log doesn't exist,As shown below.

[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_st_i_gen_hash: Start, hash[0..16] = 9a4f3617 7f2ff83c ...
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_st_i_n: Start, doi = 1, protocol = 1, code = DPD I Am Here (36137), spi[0..16] = 37c44ebf eb0ab9be ..., data[0..4] = 19b8a3d8 00000000 ...
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] Received authenticated notification payload unknown from local:X.X.X.X remote:X.X.X.X IKEv1 for P1 SA 3004774692
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] iked_pm_process_dpd_ack: Received IKE DPD R_U_THERE_ACK from IKE local:X.X.X.X peer:X.X.X.X index 3004774692 sequence number 431530969
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_st_i_private: Start
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_send_notify: Connected, SA = { 37c44ebf eb0ab9be - 435d84b0 624bd2b9}, nego = 0
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_delete_negotiation: Start, SA = { 37c44ebf eb0ab9be - 435d84b0 624bd2b9}, nego = 0
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_free_negotiation_info: Start, nego = 0
[Jun 16 16:56:53 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_free_negotiation: Start, nego = 0
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_remove_callback: Start, delete SA = { ef8de470 667740a2 - bb8fdc2d 67155573}, nego = -1
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_delete_negotiation: Start, SA = { ef8de470 667740a2 - bb8fdc2d 67155573}, nego = -1
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ssh_ike_tunnel_table_entry_delete: Deleting tunnel_id: 0 from IKE tunnel table
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ssh_ike_tunnel_table_entry_delete: The tunnel id: 0 doesn't exist in IKE tunnel table
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_sa_delete: Start, SA = { ef8de470 667740a2 - bb8fdc2d 67155573 }
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_sa_delete: No isakmp_sa found in cookie mapping in ssh_isakmp_sa_delete
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_free_negotiation_isakmp: Start, nego = -1
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_free_negotiation: Start, nego = -1
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] IKE SA delete called for p1 sa 3004773076 (ref cnt 1) local:X.X.X.X , remote:X.X.X.X , IKEv1
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] iked_pm_p1_sa_destroy: p1 sa 3004773076 (ref cnt 0), waiting_for_del 0x0
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_free_id_payload: Start, id type = 1
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_free_id_payload: Start, id type = 1
[Oct 7 10:31:38 PIC 2/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_free_sa: Start
[Jun 16 16:57:08 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_expire_callback: Start, expire SA = { ef8de470 667740a2 - bb8fdc2d 67155573}, nego = -1
[Jun 16 16:57:08 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_alloc_negotiation: Start, SA = { ef8de470 667740a2 - bb8fdc2d 67155573}
[Jun 16 16:57:08 PIC 1/11/0 KMD4][X.X.X.X <-> X.X.X.X] ike_encode_packet: Start, SA = { 0xef8de470 667740a2 - bb8fdc2d 67155573 } / 10a3b916, nego = 0

Why does it exist 2/11/0 PIC, what does this mean, the same piece of SPC's second SPU ?

Every once in a while, this log will reappear, at the same time, through the command security Ike SA detail show, you can see a lot of the same Index Gateway related data packets are very small, as shown below:

IKE peer X.X.X.X, Index 3004773652, Gateway Name: x.x.x.x
Location: FPC 11, PIC 0, KMD-Instance 4
Role: Responder, State: UP
Initiator cookie: 34477b27488b03a6, Responder cookie: 1376d2b7c88d9cee
Exchange type: Main, Authentication method: Pre-shared-keys
Local: x.x.x.x:500, Remote: x.x.x.x:500
Lifetime: Expires in 5926 seconds
Peer ike-id: x.x.x.x
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-md5-96
Encryption : 3des-cbc
Pseudo random function: hmac-md5
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 480
Output bytes : 436
Input packets: 3
Output packets: 3
IPSec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 1

Is it because SPC's time is not synchronized ?

This problem how to solve it? You have any good suggestions or methods, thank you very much.

Hello ,

It could be possible due to Time SYNC issue between the SPU's . To Quickly Sync the time , we may have to reboot them , or manually set the time .

Thank you, so far, Fault has automatic recovery,Normal IKE log is no FIC 2/11/0,Can you tell me, What is the meaning of this?

thanks again

Hello ,

For each VPN there will be only One Anchoring SPU where the VPN will be anchored .  So when the NTP is out of Sync the information will not be shared  to the other SPU's where the flow session will get installed . This causes conflict and sometimes cause multiple SA to get created across different SPU's . So thats why its recommended to have NTP Sync between all the SPC  .

Also if this issues occures after the NTP sync , then need to check the software version running .

Thank you very much,