SRX Services Gateway
SRX Services Gateway

Tunnel loop detected with peer

08.01.17   |  
‎08-01-2017 01:24 PM

We have an SRX1500 with over a hundred VPN tunnels.  Every few nights we get a "IPSec negotiation loop detected with peer, Rejecting negotiation" event on our SA.  Users on the remote end notice the network outage for several minutes.  I have opened a JTAC case, but they really didn't tell me anything.  Said our VPN configurations look good.  No other issues with other VPN's on the same box.  The only thing thats a bit different than other tunnels is we do specify a remote-identity with this one.  

 

I have not really found anything related to "loop detected" messages in KB's are in the forums.  Anybody have any idea what this is?  

 

HM

1 REPLY
Highlighted
SRX Services Gateway

Re: Tunnel loop detected with peer

08.16.17   |  
‎08-16-2017 03:47 AM

I have seen this between SRX and 3rd party devices when proxy-ids are not configured properly. Per tunnel debugging will give you more information.

 

>request security ike debug-enable local <local gateway ip> remote <peer gateway ip> level 12

>show log kmd 

 

You can leave it running overnight. Its not cpu intensive. 

 

Try configuring trafic selector and that should resolve it.