[j-nsp] IPSEC tunnel

Humair Ali humair.s.ali at gmail.com
Wed Jan 4 16:58:10 EST 2012 

Hi Asad

it's been a while I have not been involved with Netscreen,

but correct me if I am wrong but IKE Keepalive and DPD are exactly the same
thing,

As long as there is VPN traffic, the DPD will not be used, it is only used
when it does not detect the VPN traffic and start sending hello message to
detect the liveness of remote end (which is exactly what IKE keepalives do)

If DPD find remote site down, stating the tunnel down should force a
rekeying  of the Phase 1 and 2 .

Netscreen does not have DPD on by default but Cisco does, if one end detect
it is sending DPD Hello but detects that remote end does not , it will
bring the tunnel down, hence why enabling DPD on Netscreen may help.

Having said that the problem could be completely some other issues.

On 4 January 2012 06:57, Asad Raza <asadgardezi at gmail.com> wrote:

> Hi,
>
> 24hrs mean that you might be having issue once your phase-1 is rekeyed
> (being life-time of phase-1 normally). DPD would detect if the next device
> is live of not, should not help in this scenario.
> Please check once problem is raised, if the SA is available on both
> devices or not? I have seen this issue and in that SA was available on
> Juniper and not available on cisco. You need to match exact parameters on
> both devices. In my problem, IKE keepalives were enabled on Cisco and after
> disabling it the problem was resolved.
>
> Check matching NAT-T and PFS configuration aswell.
>
> Regards,
>
> Asad
>
> On Tue, Jan 3, 2012 at 10:04 PM, Burkhard Ott <bott at revenuewire.com>wrote:
>
>> On Tue, 3 Jan 2012 16:37:11 +0000
>> Humair Ali <humair.s.ali at gmail.com> wrote:
>>
>> > >>> Hi,
>> > >>>
>> > >>> I have an IPSEC tunnel between an Juniper SRX (policy based)
>> > >>> running 10.4R6.5 and a Cisco ASA 5510, the SA's are established
>> > >>> but about once per
>> > >>> 24h hours (but can also work for days) the tunnel stops forwarding
>> > >>> traffic,
>> > >>> the SA's are still established. has anyone seen this behavior
>> > >>> before? The solution is to take the tunnel down and establish it
>> > >>> again.
>>
>> Check if the tunnel dies if you send large packets, if it does check
>> your MTU for the tunnel.
>>
>> --
>> Burkhard Ott
>> Sr. System Administrator
>> Revenuewire Inc.
>> 1205 - 4464 Markham Street
>> Victoria, BC V8Z 7X8
>> 250-984-1132 ext. 7132
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>


-- 
Humair

More information about the juniper-nsp mailing list