ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

VPN tunnel going up and down (how to check if ISP has block ESP traffic)

‎12-20-2018 11:03 PM

Found this KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB9488&actp=METADATA.

At step 4. The VPN become stable after disabled Monitor.

If I am not go to ask the ISP (or they don't tell me the truth). Is there anyway I can proof that the ISP did block ESP traffic?

5 REPLIES 5
ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel going up and down (how to check if ISP has block ESP traffic)

‎12-20-2018 11:49 PM

Hi,

 

1: How frequent VPN flaps ? Does the peer device support the VPN monitoring, what device is that ? https://kb.juniper.net/InfoCenter/index?page=content&id=KB3988

2: Each ESP packet will have sequence number, if you can capture the ESP packets on both side and see the missing sequence number then it's getting lost in the Internet, or may be by ISP .

3: You can also keep the tunnel stable (by disabling the VPN monitor) and have some test traffic( e.g. ping) running between two machines over the VPN, and check if there are frequent drops despite VPN is UP.  Still , step 2 is the best way to check the ESP drops.

 

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel going up and down (how to check if ISP has block ESP traffic)

[ Edited ]
‎12-21-2018 12:54 AM

Hello vikassingh,

1. The ScreenOS version is 6.3.0r13.0. The peer device is Palo Alto PA-820. Is there any list show which firewall support VPN monitoring with Juniper firewall?

2. I've no idea about ESP packet. Do I need to use Wireshark to capture them?

3. Continue ping between 2 firewalls without drop (very stable), even VPN monitoring was enabled. It start up and down when there is no traffic. I'd enable "Optimized" and "Rekey".

 

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author jlotag
‎12-21-2018 01:23 AM

Re: VPN tunnel going up and down (how to check if ISP has block ESP traffic)

‎12-21-2018 01:09 AM

Hi,

 

If everything is stable without VPN monitor then mostly it's not an issue with the ISP.  In my previous KB it explains how VPN monitoring work. By default the feature will work only if you have VPN between two netscreen devices.

 

Please follow KB if you are using any different vendor : https://kb.juniper.net/InfoCenter/index?page=content&id=KB8530&actp=METADATA or why do you need the VPN monitor and what's the impact if you don't use it.

 

Thanks,

Vikas

ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel going up and down (how to check if ISP has block ESP traffic)

‎12-21-2018 01:23 AM

Hello vikassingh,

Will try add proxy-id at both side to see if that work. If still fail, I think I am going to give up as the KB said VPN monitoring is not design for non-Juniper device.

ScreenOS Firewalls (NOT SRX)

Re: VPN tunnel going up and down (how to check if ISP has block ESP traffic)

‎12-21-2018 02:00 AM

Hi,

 

Only adding the proxy-id will not help. We have to ensure the ICMP connectivity between 2 IPs, one IP behind each VPN gateway. In your VPN-monitor you need to specify a source and destination IP,  Netscreen will use the same source/destination IP in the PING and the IP behind the PA should respond to that ping. Otherwise it will fail.  You can use loopback interfaces on both the devices for this, assign them unused IPs/32 and configure the VPN Monitoring accordingly. Also, ensure you have routes/proxy-id etc to allow connectivity between these two IPs.

 

Thanks,

Vikas