[j-nsp] SSG Dialup VPN stability problems

Jimmy Stewpot mailers at oranged.to
Sun May 30 20:32:21 EDT 2010 

Hello,

I am currently investigating some on-going stability problems with client-to-site vpn connections on a SSG140. Unfortunately I've been unable to find any detailed diagnostics steps to take when troubleshooting this type of issue. The site previously used a Cisco ASA and have since moved to Juniper's we are running 6.2.0r2 as the software version with client to site using a tunnel interface. 

The config as stated :
===SNIP===
set ike gateway "Remote_Dialup_VPN" dialup "Dialup_VPN_Group" Aggr outgoing-interface "ethernet0/3" preshare "<KEY HERE>" proposal "pre-g2-3des-md5" "pre-g2-3des-sha" "pre-g2-aes128-md5" "pre-g2-aes128-sha"
set ike gateway "Remote_Dialup_VPN" dpd-liveness interval 20
set ike gateway "Remote_Dialup_VPN" dpd-liveness always-send
unset ike gateway "Remote_Dialup_VPN" nat-traversal udp-checksum
set ike gateway "Remote_Dialup_VPN" nat-traversal keepalive-frequency 20
set ike gateway "Remote_Dialup_VPN" xauth server "AD_Radius" user-group "VPN.Users"
unset ike gateway "Remote_Dialup_VPN" xauth do-edipi-auth
set vpn "Remote_Dialup_VPN" gateway "Remote_Dialup_VPN" replay tunnel idletime 0 proposal "nopfs-esp-3des-sha"  "nopfs-esp-3des-md5"  "nopfs-esp-des-sha"  "nopfs-esp-des-md5" 
set vpn "Remote_Dialup_VPN" id 0x6 bind interface tunnel.3
set vpn "Remote_Dialup_VPN" dscp-mark 0
set vpn "Remote_Dialup_VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 255.255.255.255/32 "ANY" 
set address "VPN" "Dialup_IPPool" 10.10.40.0 255.255.255.0
set ippool "IPPool" 10.10.40.2 10.10.40.254


&&

set interface "tunnel.3" zone "VPN"
set interface tunnel.3 ip unnumbered interface ethernet0/3
set vpn "Remote_Dialup_VPN" id 0x6 bind interface tunnel.3
set vpn "Remote_VPN_to_DMZ" id 0x9 bind interface tunnel.3
set route 10.10.40.0/24 interface tunnel.3 permanent

&&


set auth-server "AD_Radius" account-type l2tp xauth 
set user-group "VPN.Users" type l2tp xauth 
set ike gateway "Remote_Dialup_VPN" xauth server "AD_Radius" user-group "VPN.Users"
unset ike gateway "Remote_Dialup_VPN" xauth do-edipi-auth
set xauth lifetime 30
set xauth default ippool "IPPool"
set xauth default dns1 192.168.10.1
set xauth default dns2 192.168.10.2
set xauth default wins1 192.168.10.1
set xauth default wins2 192.168.10.2
set xauth default auth server "AD_Radius"
set xauth default accounting server "AD_Radius"

===SNIP===

Now the problem we have is that very often systems can't remain connected for more than a few seconds while other users can be stable as a rock. This is despite both systems having identical configurations with either the Shrew client or the Juniper VPN client. One thing that I do see is a huge number of replay packets detected in the error logs, Does that have something to do with it? Moving forward has anyone experienced similar problems in the past and what did they do to resolve them? I have been unable to identify any single problem as every time I connect I am able to stay online for days without being disconnected?.

Any feedback would be really appreciated.

Regards,

Jimmy Stwepot.

More information about the juniper-nsp mailing list