SRX Services Gateway
SRX Services Gateway

intermittent vpn with multiple proxy IDs

‎04-18-2016 11:14 PM

Hi,

 

we have a vpn on our srx firewall, and its peer device is a cisco ASA. we are using policy based vpn and there are three subnets/proxy-IDs. we configured 3 sec policy for each subnets, so that each subnets would have its own proxy-id. all 3 local subnets/proxy-ID work at same time in a while but after hours or i think when the life time expires, 2 of the subnets/proxy-IDs drop, only one remain. what we do to bring up the other 2 subnets/proxy-IDs again is to reset the tunnel and ask our peer site to initiate a ping to our local gateway address, then after that all of the 3 subnets/proxy-IDs comes up again. also when we reset the tunnel and we initiate the ping the tunnel is not coming up, but when our peer site is the one to initiate the ping, the tunnel is comming up. i also see on "show security ike sa detail" that our firewall is the responder. 

 

my question are, how can make our firewall as a initiator, why the other 2 local subnets/proxy-ID drops after hours and the other one remain, and how can we stabilize the other 2 local subnets/proxy-ID. attached is the config of our vpn. please help. thanks

 

 

 

 

Attachments

1 REPLY 1
Highlighted
SRX Services Gateway

Re: intermittent vpn with multiple proxy IDs

‎04-19-2016 03:01 AM

Hi,

 

I (and a lot of people on this forum), have had issues configuring Policy Based VPNs between an SRX and an ASA.  Thank god for Traffic Selectors in version 12.1X46.

 

This will save you a lot of heartache and issues if you can match them up with the Cisco ACLs on the other side.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28820

http://www.juniper.net/documentation/en_US/junos15.1x49/topics/example/ipsec-vpn-traffic-selector-co...

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Feedback