[j-nsp] Netscreen dialup vpn questions

[mailers at oranged.to]

Hi There,

I believe that all the phase1 and phase2 variables are 100% default.. 28800 seconds?


----- Original Message -----
From: "Asad Raza" <asadgardezi at gmail.com>
To: "Jimmy Stewpot" <mailers at oranged.to>
Cc: juniper-nsp at puck.nether.net
Sent: Tuesday, 27 April, 2010 5:20:11 PM
Subject: Re: [j-nsp] Netscreen dialup vpn questions

Dear Jimmy, 


please confirm what lifetime is set for phase 1 and phase 2 proposals. i believe you cannot flush a session unless its lifetime is expire. 


regards, 


Asad 


On Tue, Apr 27, 2010 at 11:28 AM, < mailers at oranged.to > wrote: 


Hello, 

I have recently swapped out a Cisco ASA with a Juniper SSG due to some problems with SIP on the ASA. The Juniper has been working really well with SIP but I have some problems with the VPN which I am trying to resolve. We have hundreds of dialup IPSEC VPN users who authenticate using RADIUS. The problem is that they keep on getting disconnected or having problems connecting. When I go and monitor the VPN's in the GUI I get the following... 


Dialup_VPN 0000817b -1/-1 <IP> AutoIKE Active Down 
Dialup_VPN 0000816d -1/-1 <IP> AutoIKE Active Down 
Dialup_VPN 00008176 -1/-1 <IP> AutoIKE Active Down 
Dialup_VPN 0000816b -1/-1 <IP> AutoIKE Active Down 
Dialup_VPN 0000814b -1/-1 <IP> AutoIKE Active Down 
Dialup_VPN 0000817a -1/-1 <IP> AutoIKE Active Down 
Dialup_VPN 0000816a -1/-1 <IP> AutoIKE Active Down 

Where we see the tunnels are active but the link is down.. The users then appear to be unable to reconnect. Is there a way to automatically flush the credentials/sa etc so that when they disconnect they are able to log back in again? Where can I go for trying to debug this stuff more easily? Any advice would be really appreciated. 

Regards, 

Jimmy. 
_______________________________________________ 
juniper-nsp mailing list juniper-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp