[j-nsp] SRX Site-to-Site Question

Paulhamus, Jon jpaulhamus at IU17.ORG
Fri Jan 20 21:47:23 EST 2012 

Hi Paul - 

In my experience, I have used a looback interface address of the SRX as the destination of the GRE tunnel on both sides then just send the /32 route of the loopback at the other end to the st0.0 address.  I've always used OSPF to carry the routes over the tunnel.  The only other thing to keep in mind was setting proxy ID's on the VPN.

Doing it this way, I've never seen what your describing and tunnels are solid.

I hope this helps -


-----Original Message-----
From: Paul Stewart [mailto:paul at paulstewart.org] 
Sent: Friday, January 20, 2012 6:55 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] SRX Site-to-Site Question

Hey there.

 

Having a bunch of grief with site to site VPN on SRX220.  This box connects
out on a GRE tunnel carrying voice traffic to one location along with a
couple of IPSec tunnels to other remote offices (2 at the moment).

 

Sometimes it works and sometimes it doesn't .  I know that's a loaded
statement ... just getting traceoptions setup now and going to troubleshoot
further.  Without getting into a length email on this, my question is
specific to routing across the st interface.  We have it setup to route
traffic to the next hop (far end) of the st0.0 interface for example.  This
works for a few hours approximately and then no traffic will pass.  Should
the route be to the st0.0 interface itself or the next hop?  The Juniper
docs clearly state the st0.0 interface specifically, but we have a lot of
these deployed without any issues and always route to the next layer3 hop.

 

A reboot of the SRX causes everything to start working again and since it
does work for a period of time *usually* after a reboot I'm thinking the
routing question above is not relevant.  A little while ago, the GRE tunnel
stopped passing traffic but the IPSec continued to work properly.  After the
reboot, the GRE started to work properly and the IPSec stopped working...
nothing logical to that in my opinion..

 

When traffic stops passing, IKE and IPSec are up/up.. The gr interface shows
up as well..

 

Scratching my head - obviously I have to do a lot more troubleshooting yet
but wondering if this sounds familiar to anyone by chance?  It's running
10.4R7.5 and I'm just upgrading it to 10.4R8.5 as I write this..

 

Thanks ;)

 

Paul

 

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list