SRX

Hi all,

There following Kb addressing the replay errors on srx.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB29580

3 hubs and more than 200 spokes there are. In line with the KB, the statement -set security vpn name ike no-anti-replay should be configured to current Ipsec vpn configuration on both hubs and spokes to avoid anti--replay errors.

Can I ask what is the best to deploy this statement...It is really pain to inject it into every sub st0 interfaces...Is there acceptable way to inject globally that effecting all sub st0  interfaces on hub and spoke devices?

RT_IPSEC: RT_IPSEC_REPLAY: Replay packet detected on IPSec tunnel on ge-1/0/1.0 with tunnel ID 0x4000118! From 55.10.11.50 to 100.220.220.150/552, ESP, SPI 0x6bba160c, SEQ 0x5f29

Thanks,

A.

You may use groups configuration to apply the statement to all VPNs.

set groups NO-REPLAY security ipsec vpn <*> ike no-anti-replay
set apply-groups NO-REPLAY

Verification:

++++++++++

show configuration security ipsec vpn <vpn-name> | display inheritance

Hi Nellika,

This box -srx is stand alone....not in Chassis cluster.... IS your configuration still valid for stand alone box or?

And also can you provide on how to do verification?

thx,

A.

It is valid on both standalone and cluster devices. You may use below command to verify whether ant-replay is disabled or not:

show security ipsec security-associations detail | match "Anti-replay|Gateway|Direction"

This command -show security ipsec security-associations detail | match "Anti-replay|Gateway|Direction" showed

by default anti-replay is enabled on spoke and hub sites

After implementing your proposal group configuration, how can be verify whether or not it is inherited to all sub st0 logical interfaces ( st0.1, st0.2, st0.3 ..............  st0.149, st0.150)? just cross check?

Verification command was given in my first post.

Ohh sorry I didn't see that one...... thanks for that....