SRX

Good afternoon folks,

I'm using the NCP Exclusive Entry client to connect to connect to a VSRX located in AWS.  The VPN works quite well, except it disconnects after 6 hours of use.  Here's my config:

IKE stuff:

proposal PSK-DH19-AES256-SHA256-L28800 {
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;
}

policy Corios-VPN-IKE-Pol {
mode aggressive;
proposals PSK-DH19-AES256-SHA256-L28800;
pre-shared-key ascii-text REDACTED; ## SECRET-DATA
}

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 25;
ike-user-type shared-ike-id;
}
dead-peer-detection {
interval 10;
threshold 3;
}
local-identity inet 52.37.18.20;
external-interface ge-0/0/1.0;
aaa {
access-profile vaorduopxy01;
}
version v1-only;
tcp-encap-profile NCP;
}

And here's the IPSEC part:

proposal ESP-AES256-SHA256-L3600 {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 86400;
}

policy Corios-VPN-IPSEC-Pol {
perfect-forward-secrecy {
keys group19;
}
proposals ESP-AES256-SHA256-L3600;
}

vpn Corios-VPN {
bind-interface st0.9;
ike {
gateway Corios-VPN-IKE-GW;
ipsec-policy Corios-VPN-IPSEC-Pol;
}
traffic-selector TS1 {
local-ip 10.132.3.0/24;
remote-ip 0.0.0.0/0;
}
}

Looking in the logs I see that a renegotiation has been triggered:

[May 22 21:55:10][10.132.0.85 <-> 50.78.186.13] Triggering the IKE negotiation ....
[May 22 21:55:10][10.132.0.85 <-> 50.78.186.13] iked_async_ike_trigger_msg_handler: Triggering IKE negotiation for tunnel-id:67109286 Set traffic trigger flag for sa_cfg:instance-GT-Corios-VPN_TS1_67109286
[May 22 21:55:10][10.132.0.85 <-> 50.78.186.13] Ignoring request to remote access instance-GT-Corios-VPN_TS1_67109286 config block
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] iked_peer_entry_remove_inactive_sa_cfg_entry: Removing sa-cfg instance-GT-Corios-VPN_TS1_67109286 from inactive list for peer-entry 0x8d24f00
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] In iked_license_report_remote_user_usage Number of REMOTE_ACCESS_IPSEC_VPN_CLIENT license currently used is: 3 and max allowed is: 25
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] iked_peer_entry_delete_from_id_table: Deleted peer entry 0x8d24f00 for local 10.132.0.85:4500 remote 50.78.186.13:25668. gw Corios-VPN-IKE-GW, VR id 5 from ID hash table
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] iked_peer_entry_patricia_delete:Peer entry 0x8d24f00 deleted for local 10.132.0.85:4500 and remote 50.78.186.13:25668
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Logout subscriber_id {41030000 00000000}
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Deleting Remote access SA configuration block instance-GT-Corios-VPN_TS1_67109286
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_instance_delink_sa_cfg: processing SA instance-GT-Corios-VPN_TS1_67109286 (flags: 0x24608e29)
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Freeing the SA configuration block instance-GT-Corios-VPN_TS1_67109286
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_sa_cfg_free: processing SA 9413e00 (flags: 0x24608e29)
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_instance_delink_sa_cfg: processing SA instance-GT-Corios-VPN_TS1_67109286 (flags: 0x24608e29)
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] kmd_sa_cfg_children_sa_free: processing SA instance-GT-Corios-VPN_TS1_67109286
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] Deleted sa_cfg instance-GT-Corios-VPN_TS1_67109286 from the sadb hash tbl
[May 22 21:55:11][10.132.0.85 <-> 50.78.186.13] In iked_ipsec_sa_config_delete

The local NCP client logs show a disconnection right around the same time:

5/22/2019 2:56:15 PM - INFO - MONITOR: Disconnected
5/22/2019 2:56:15 PM - INFO - MONITOR: Media=LAN, Tx=63558621 Byte, Rx=246989819 Byte

Based on my understanding of the config, this should happen after 24 hours, not 6.  Clearly I'm missing something here though.  Thanks in advance for your suggestions.

Hi,

Does the VPN disconnects for all the users after exact/close-to 6 hours ?

It is strange as DPD should take care about the inactivity too..

Assist to share VPN logs prior to the "Triggering the IKE negotiation" message.

Also assist to provide the output during the working state:-

show security ike security-associations index <xxxx> detail

show security ipsec security-associations <xxxx> detail

Regards,

Rahul

Thank you for getting back to me.

I've connected to the VPN, and here's my IKE security association:

ec2-user@VSRX2> show security ike security-associations index 5433716 detail
IKE peer 50.78.186.13, Index 5433716, Gateway Name: Corios-VPN-IKE-GW
Role: Responder, State: UP
Initiator cookie: e8b87ff25a407004, Responder cookie: 4cfd7eaa01a600db
Exchange type: Aggressive, Authentication method: Pre-shared-keys
Local: 10.132.0.85:4500, Remote: 50.78.186.13:14208
Lifetime: Expires in 28664 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Disabled, Size: 0
Remote Access Client Info: Exclusive Client
Peer ike-id: itadmins@coriosgroup.com
AAA assigned IP: 10.132.3.194
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-19
Traffic statistics:
Input bytes : 2512
Output bytes : 912
Input packets: 7
Output packets: 5
Input fragmentated packets: 0
Output fragmentated packets: 0
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 10.132.0.85:4500, Remote: 50.78.186.13:14208
Local identity: 52.37.18.20
Remote identity: itadmins@coriosgroup.com
Flags: IKE SA is created

Here's my IPSEC SA

ec2-user@VSRX2> show security ipsec security-associations index 67109296 detail
ID: 67109296 Virtual-system: root, VPN Name: Corios-VPN
Local Gateway: 10.132.0.85, Remote Gateway: 50.78.186.13
Traffic Selector Name: TS1
Local Identity: ipv4(0.0.0.0-255.255.255.255)
Remote Identity: ipv4(10.132.3.194)
Version: IKEv1
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.9
Port: 14208, Nego#: 1925, Fail#: 28, Def-Del#: 0 Flag: 0x24608f29
Multi-sa, Configured SAs# 1, Negotiated SAs#: 1
Tunnel events:
Thu May 23 2019 15:13:23: IPSec SA negotiation successfully completed (1 times)
Thu May 23 2019 15:13:23: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
Thu May 23 2019 15:13:00: IKE SA negotiation successfully completed (1 times)
Direction: inbound, SPI: d2674b17, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3361 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2803 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: c9677cb1, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3361 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2803 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

These lifetime values don't match the 86400 I have in the config, so I guess we can see why the VPN is being disconnected.  If anyone has any insight about what I need to change I'll be thankful.

It turns out that these values can be set on the NCP client, as well as in the Juniper, and the client values override those on the router.  After changing the values to match the duration is now showing as 86400.