SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN with Cisco ASA - No Traffic after 75 % of lifetime

    Posted 05-22-2011 23:18

    Hi there,

     

    I have a problem with a vpn peer to a cisco ASA. Everything works well till 75 % of the proposal lifetime is gone. I have tested it now with 4 h, 8h and 24 h - it is everytime 75 % !

     

    The lifetime is running down forward but traffic stops thru the peer. Has somebody a hint ?

     

    I use JUNOS 11.1R1 on a SRX 240H.

     

    br Daniel



  • 2.  RE: VPN with Cisco ASA - No Traffic after 75 % of lifetime

    Posted 05-23-2011 00:49

    Hi

     

    I think here may be a problem with soft/hard SA lifetimes. Probarbly they do not match on Cisco and Juniper sides.You can check Juniper lifetimes with a command like

     

    lab@jsrx# run show security ipsec security-associations detail | match lifetime
        Hard lifetime: Expires in 3169 seconds
        Soft lifetime: Expires in 2569 seconds

     

    After soft lifetime expires, new SA should be created. If it is not - then you will have problems with the tunnel (however you should not be seeing traffic loss before hard lifetime expires).

     

    So my first proposal is to check soft/hard lifetimes on both sides and confirm that they match.

    Which lifetime expires exactly at the moment when vpn halts?

     

    Second proposal is to use traceoptions,

    [edit security ike]
    +    traceoptions {
    +        flag all;
    +    }

    and see what's in /var/log/kmd file at the moment you have a tunnel drop.



  • 3.  RE: VPN with Cisco ASA - No Traffic after 75 % of lifetime

    Posted 05-23-2011 02:34

    Hi, 

     

    this is the output of the show security ipsec ...

     

      Local Identity: ipv4(any:0,[0..3]=10.4.xx.xx)
      Remote Identity: ipv4_subnet(any:0,[0..7]=10.4.xxx.xxx/25)
        DF-bit: clear
        Direction: inbound, SPI: 126aa7d7, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 17452 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 16823 seconds
        Mode: tunnel, Type: dynamic, State: installed
        Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
        Anti-replay service: disabled
        Direction: outbound, SPI: 4a1b806, AUX-SPI: 0
                                  , VPN Monitoring: -
        Hard lifetime: Expires in 17452 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 16823 seconds
        Mode: tunnel, Type: dynamic, State: installed
        Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc
        Anti-replay service: disabled

     

    The lifetime on the ASA site match with our SRX. Both are set to 24 h at the moment. In these output the traffic is still dropped but the SA is already there.

     

    In the kmd files I cannot see something - there are no entries for this peer at the moment at traffic lost. Is there a way to enlarge the softlifetime to match on 75 % ? Maybe the ASA try to rekey at 75 % of lifetime.

     

     



  • 4.  RE: VPN with Cisco ASA - No Traffic after 75 % of lifetime

    Posted 05-23-2011 03:04

    This is what you need to check - what exactly happens at the time you start loosing traffic - which lifetime expires. And what SAs are present an that time. Probarbly you are right and it is Cisco phase2 soft lifetime ends, it tries to re-establish vpn and fails for some reason.

    Maybe IKE pahse1 is down at that time and can't be reestablished.

    Or maybe proxy-ids don't match exactly, as they should.



  • 5.  RE: VPN with Cisco ASA - No Traffic after 75 % of lifetime
    Best Answer

    Posted 05-23-2011 03:46

    All these we have checked few times. I set now the P2 proposal with 4500 K. This seams to work in moment. I can see the rekeying of the peer.