SRX Services Gateway
Highlighted
SRX Services Gateway

Session timeout SRX1500 to ISG2000

‎02-21-2018 11:41 PM

Hello experts,

We have a desing which involves the IPSec VPN between the SRX1500 firewall and Juniper Netscreen ISG2000. There are multiple LANs behind the SRX1500 and a single LAN behind the ISG2000. Traffic selectors have been configured on SRX with single Tunnel interface while Multiple Proxy-IDs  on the ISG2000 also with single tunnel interface. 

Now Sometimes one of the LAN's is inaccessible while other LAN's are accessible at the same time. How should i diagnose this? Please help me out. 

6 REPLIES 6
SRX Services Gateway

Re: Session timeout SRX1500 to ISG2000

‎02-22-2018 03:06 AM
SRX Services Gateway

Re: Session timeout SRX1500 to ISG2000

‎02-22-2018 04:49 AM

I would remove the traffic selectors on the SRX and proxy-id on the ISG.

 

Both Junos and ScreenOS by default will connect using open proxy-id pair 0.0.0.0/0 to 0.0.0.0/0

 

Configure as a route based VPN on both sides.

 

Then use  static routes to send the desired subnets into the tunnel interface on both sides.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Session timeout SRX1500 to ISG2000

‎02-22-2018 10:07 AM

But strange thing is that when a praticular LAN becomes inaccessible that time i login to ISG2000 firewall 

edit the VPN

uncheck and recheck replay protection

 

then the traffic revives

 

I can't figure out why this is happening?

Is there any clue to this?

SRX Services Gateway

Re: Session timeout SRX1500 to ISG2000

‎02-23-2018 03:11 AM

I have not seen that before.  Is it enabled on both sides?

Perhaps the configs are out of sync.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Session timeout SRX1500 to ISG2000

‎02-11-2019 09:09 AM

@

 

 

 

 and on ISG2000 the

Replay protection check box marked.

 

 

SRX Services Gateway

Re: Session timeout SRX1500 to ISG2000

‎02-11-2019 05:31 PM

Looks like this may be a known issue between SRX and ISG / NS vpn tunnels.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26671

 

Seems the recommendation is to turn off replay protection on the SRX side.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home