[j-nsp] SRX Site-to-Site Question

Paul Stewart paul at paulstewart.org
Fri Jan 20 18:54:50 EST 2012

Hey there.


Having a bunch of grief with site to site VPN on SRX220.  This box connects
out on a GRE tunnel carrying voice traffic to one location along with a
couple of IPSec tunnels to other remote offices (2 at the moment).


Sometimes it works and sometimes it doesn't .  I know that's a loaded
statement ... just getting traceoptions setup now and going to troubleshoot
further.  Without getting into a length email on this, my question is
specific to routing across the st interface.  We have it setup to route
traffic to the next hop (far end) of the st0.0 interface for example.  This
works for a few hours approximately and then no traffic will pass.  Should
the route be to the st0.0 interface itself or the next hop?  The Juniper
docs clearly state the st0.0 interface specifically, but we have a lot of
these deployed without any issues and always route to the next layer3 hop.


A reboot of the SRX causes everything to start working again and since it
does work for a period of time *usually* after a reboot I'm thinking the
routing question above is not relevant.  A little while ago, the GRE tunnel
stopped passing traffic but the IPSec continued to work properly.  After the
reboot, the GRE started to work properly and the IPSec stopped working...
nothing logical to that in my opinion..


When traffic stops passing, IKE and IPSec are up/up.. The gr interface shows
up as well..


Scratching my head - obviously I have to do a lot more troubleshooting yet
but wondering if this sounds familiar to anyone by chance?  It's running
10.4R7.5 and I'm just upgrading it to 10.4R8.5 as I write this..


Thanks ;)




More information about the juniper-nsp mailing list