[j-nsp] IPSEC tunnel

Asad Raza asadgardezi at gmail.com
Wed Jan 4 01:57:45 EST 2012


Hi,

24hrs mean that you might be having issue once your phase-1 is rekeyed
(being life-time of phase-1 normally). DPD would detect if the next device
is live of not, should not help in this scenario.
Please check once problem is raised, if the SA is available on both devices
or not? I have seen this issue and in that SA was available on Juniper and
not available on cisco. You need to match exact parameters on both devices.
In my problem, IKE keepalives were enabled on Cisco and after disabling it
the problem was resolved.

Check matching NAT-T and PFS configuration aswell.

Regards,

Asad

On Tue, Jan 3, 2012 at 10:04 PM, Burkhard Ott <bott at revenuewire.com> wrote:

> On Tue, 3 Jan 2012 16:37:11 +0000
> Humair Ali <humair.s.ali at gmail.com> wrote:
>
> > >>> Hi,
> > >>>
> > >>> I have an IPSEC tunnel between an Juniper SRX (policy based)
> > >>> running 10.4R6.5 and a Cisco ASA 5510, the SA's are established
> > >>> but about once per
> > >>> 24h hours (but can also work for days) the tunnel stops forwarding
> > >>> traffic,
> > >>> the SA's are still established. has anyone seen this behavior
> > >>> before? The solution is to take the tunnel down and establish it
> > >>> again.
>
> Check if the tunnel dies if you send large packets, if it does check
> your MTU for the tunnel.
>
> --
> Burkhard Ott
> Sr. System Administrator
> Revenuewire Inc.
> 1205 - 4464 Markham Street
> Victoria, BC V8Z 7X8
> 250-984-1132 ext. 7132
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


More information about the juniper-nsp mailing list