SRX Services Gateway
Highlighted
SRX Services Gateway

Site to Site VPN between two sites drops connectivity

‎01-14-2011 04:38 AM

I have an SRX210b at one site and SRX240 at another site.  Site to Site VPN is setup and works as it should, except for one thing.  Sometimes, connectivity is lost, and it doesn't reconnect until I manually restart the ipsec service on both gateways. 

 

Why does this happen and is there a way for the connection to restore without manual intervention?  This should really be the least of my worry's, but I'm worried that when I get this new site populated with people, that I'll be getting calls at all hours of the day or night for this issue. 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Site to Site VPN between two sites drops connectivity

‎01-14-2011 06:56 AM

You can run VPN-Monitor on your "ipsec vpn" or dead-peer-detection on your "ike gateway"

 

These two should help in the re-key process if you tunnel gets bunked up for whatever reason.

Highlighted
SRX Services Gateway

Re: Site to Site VPN between two sites drops connectivity

‎01-14-2011 08:46 AM

Thanks, I've enabled DPD, and I'll see how it goes.  I'm surprised that the VPN config tool doesn't add this information, I can't see why anyone wouldn't want to have it enabled? 

Highlighted
SRX Services Gateway

Re: Site to Site VPN between two sites drops connectivity

[ Edited ]
‎01-14-2011 09:22 AM

Also note that...  If your DPD timer is less then your IPSEC, which usually it is...  When Phase 1 times out, DPD won't clear a Phase 2 SA on failure...  It will if your P1 still exists.

 

So...

 

Use DPD in conjunction with VPN-Monitor for best results.

 

Oh and should also note, if you have ping disabled on your untrust interfaces, after P1 times out; it will rekey automagically because it will switch to PING for DPD and Fail.  If you have your P1 timer set to 3600 it will rekey every hour, which might not be a bad deal if you arn't running a concentrator with LOTs of devices.

Highlighted
SRX Services Gateway

Re: Site to Site VPN between two sites drops connectivity

‎02-09-2012 12:52 PM

Good day. 

With DPD enabled, I have not had a problem for about a year.  The connection has been rock solid.  I didn't even enable VPN monitor, DPD took care of everything. 

With that said,

I've recently upgraded one of my routers to version: 10.4R6.5

The other router has not been updated. 

My secure tunnel has now started dropping a few times a day and now requires me to loging to one of the routers and restart ipsec-key-management to get the connection to come back on line. 

Reading back to this post I decided to try and use VPN monitor and that makes it even worse. 

 

Does anyone have pointers?  Will upgrading the software on my other router fix this issue?  Is this an issue with the new Software? 

 

Thanks.