[j-nsp] Ipsec tunnel flapping

Alexandre Guimaraes alexandre.guimaraes at ascenty.com
Mon Jun 25 11:22:05 EDT 2018


Sameer


Reason: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared

This is a phase 2 problem, maybe deadpeerdetection failure, VPN monitoring failure, a failure during rekey when old SA is deleted notification sent to delete old SA. Most of the cases.



att
Alexandre

Em 25 de jun de 2018, à(s) 03:42, sameer mughal <pcs.sameer1 at gmail.com<mailto:pcs.sameer1 at gmail.com>> escreveu:

both sites on srx.
following are the logs.

 show log junilog|match st0.15
Jun 25 01:47:51   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Broadcast PointToPoint Multicast>
Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 <Broadcast PointToPoint Multicast Localup>
Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 -> 10.115.10.2 <Broadcast PointToPoint Multicast Localup>
Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), SA Type: Static, Reason: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared
Jun 25 01:47:51   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
Jun 25 01:48:06   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), SA Type: Static
Jun 25 01:48:06   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Up Broadcast PointToPoint Multicast>
Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 <Up Broadcast PointToPoint Multicast>
Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 -> 10.115.10.2 <Up Broadcast PointToPoint Multicast>
Jun 25 01:48:06   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
Jun 25 01:51:52   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN from 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), SA Type: Static, Reason: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared
Jun 25 01:51:52   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Broadcast PointToPoint Multicast>
Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 <Broadcast PointToPoint Multicast Localup>
Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 -> 10.115.10.2 <Broadcast PointToPoint Multicast Localup>
Jun 25 01:51:52   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
Jun 25 01:52:07   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Up Broadcast PointToPoint Multicast>
Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 <Up Broadcast PointToPoint Multicast>
Jun 25 01:52:07   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW, vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID: 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0<http://0.0.0.0/0>), SA Type: Static
Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 -> 10.115.10.2 <Up Broadcast PointToPoint Multicast>
Jun 25 01:52:07   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15

{primary:node0}

On Mon, Jun 25, 2018 at 3:03 AM, Alexandre Guimaraes <alexandre.guimaraes at ascenty.com<mailto:alexandre.guimaraes at ascenty.com>> wrote:
Have you checked the errors? Do a deep Inspection and check the packets to see what’s the behavior that’s trigger the down state. Tcpdump Will give you hints.

Both sides uses SRX?

att
Alexandre

Em 24 de jun de 2018, à(s) 07:59, sameer mughal <pcs.sameer1 at gmail.com<mailto:pcs.sameer1 at gmail.com>> escreveu:

> Hi All,
> I am facing ipsec tunnel flapping issue on srx550. Both sides isp links are
> up and stable but still tunnel is flapping.
> Can anyone facing similar problem or any solution to fix this issue?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list