[j-nsp] IPSEC tunnel

Humair Ali humair.s.ali at gmail.com
Tue Jan 3 11:37:11 EST 2012 

Load related ?? hmmm

actually I was asking if the 24hrs time is the time you specified for the
phase 1 or the phase 2 ?

I m guessing the phase 1 unless you did for both ?

It's a bit odd the forwarding would die if it gets too much traffic, I
would expect packet loss or some impact but not loss of forwarding.

what model of SRX do you have ?

On 3 January 2012 12:43, Johan Borch <johan.borch at gmail.com> wrote:

> Hi,
>
> Lifetime is the same on both devices, it seems to be load related, because
> traffic forwarding dies if it get's to much traffic.
>
> Thanks, I will try DPD and see if it makes any difference.
>
> Regards
> Johan
>
>
> On Tue, Jan 3, 2012 at 11:34 AM, Humair Ali <humair.s.ali at gmail.com>wrote:
>
>> Hi Johan
>>
>> I am guessing the 24hrs is also the lifetime of one of your phase 1 or
>> phase 2 ?
>>
>> It could be a bug in that the Juniper does not rekeying the phase 1 or
>> the phase 2 (although the SA are up, the rekeying does not occur properly),
>> thiss wouldn't be uncommon especially when peering with a Cisco .
>>
>> somehow one of the 2 end is active (hence why SA is UP) but the other end
>> is not .
>>
>> Have you try DPD to be enable on Juniper and Cisco end ? maybe it will
>> force the rekeying to occur between the 2,
>>
>> I know it is available in  Netscreen but not sure about SRX, but I
>> remember hearing so.
>>
>>
>>
>> On 3 January 2012 07:35, Johan Borch <johan.borch at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have an IPSEC tunnel between an Juniper SRX (policy based) running
>>> 10.4R6.5 and a Cisco ASA 5510, the SA's are established but about once
>>> per
>>> 24h hours (but can also work for days) the tunnel stops forwarding
>>> traffic,
>>> the SA's are still established. has anyone seen this behavior before? The
>>> solution is to take the tunnel down and establish it again.
>>>
>>> Regards
>>> Johan
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>>
>> --
>> Humair
>>
>>
>


-- 
Humair

More information about the juniper-nsp mailing list