[j-nsp] Ipsec tunnel flapping

sameer mughal pcs.sameer1 at gmail.com
Mon Jun 25 13:35:59 EDT 2018


Dear Koyle,
I have already configure static route towards destination.

On Mon, Jun 25, 2018, 6:50 PM Eldon Koyle <ekoyle+puck.nether.net at gmail.com>
wrote:

> Do you have a default route over that tunnel?  If so, once the tunnel
> comes up it will try to route the ipsec connection through the tunnel,
> which will break the tunnel.  Try adding a static route to the remote
> tunnel endpoint via your internet connection.
>
> --
> Eldon
>
>
> On Mon, Jun 25, 2018, 00:43 sameer mughal <pcs.sameer1 at gmail.com> wrote:
>
>> both sites on srx.
>> following are the logs.
>>
>>  show log junilog|match st0.15
>> Jun 25 01:47:51   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Broadcast
>> PointToPoint Multicast>
>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 <Broadcast
>> PointToPoint Multicast Localup>
>> Jun 25 01:47:51   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 <Broadcast PointToPoint Multicast Localup>
>> Jun 25 01:47:51   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>> from
>> 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static, Reason: IPSec SA delete payload received from peer, corresponding
>> IPSec SAs cleared
>> Jun 25 01:47:51   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
>> Jun 25 01:48:06   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
>> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static
>> Jun 25 01:48:06   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Up Broadcast
>> PointToPoint Multicast>
>> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 <Up Broadcast
>> PointToPoint Multicast>
>> Jun 25 01:48:06   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 <Up Broadcast PointToPoint Multicast>
>> Jun 25 01:48:06   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
>> Jun 25 01:51:52   kmd[1902]: KMD_VPN_DOWN_ALARM_USER: VPN IPSEC-15-VPN
>> from
>> 103.229.87.66 is down. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static, Reason: IPSec SA delete payload received from peer, corresponding
>> IPSec SAs cleared
>> Jun 25 01:51:52   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Broadcast
>> PointToPoint Multicast>
>> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 <Broadcast
>> PointToPoint Multicast Localup>
>> Jun 25 01:51:52   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 <Broadcast PointToPoint Multicast Localup>
>> Jun 25 01:51:52   mib2d[1865]: SNMP_TRAP_LINK_DOWN: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus down(2), ifName st0.15
>> Jun 25 01:52:07   rpd[1867]: EVENT <UpDown> st0.15 index 86 <Up Broadcast
>> PointToPoint Multicast>
>> Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 <Up Broadcast
>> PointToPoint Multicast>
>> Jun 25 01:52:07   kmd[1902]: KMD_VPN_UP_ALARM_USER: VPN IPSEC-15-VPN from
>> 103.229.87.66 is up. Local-ip: 124.29.233.138, gateway name: IKE-U15-GW,
>> vpn name: IPSEC-15-VPN, tunnel-id: 131075, local tunnel-if: st0.15, remote
>> tunnel-ip: 10.115.10.1, Local IKE-ID: 124.29.233.138, Remote IKE-ID:
>> 103.229.87.66, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector:
>> , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0),
>> Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), SA Type:
>> Static
>> Jun 25 01:52:07   rpd[1867]: EVENT UpDown st0.15 index 86 10.115.10.2 ->
>> 10.115.10.2 <Up Broadcast PointToPoint Multicast>
>> Jun 25 01:52:07   mib2d[1865]: SNMP_TRAP_LINK_UP: ifIndex 588,
>> ifAdminStatus up(1), ifOperStatus up(1), ifName st0.15
>>
>> {primary:node0}
>>
>> On Mon, Jun 25, 2018 at 3:03 AM, Alexandre Guimaraes <
>> alexandre.guimaraes at ascenty.com> wrote:
>>
>> > Have you checked the errors? Do a deep Inspection and check the packets
>> to
>> > see what’s the behavior that’s trigger the down state. Tcpdump Will give
>> > you hints.
>> >
>> > Both sides uses SRX?
>> >
>> > att
>> > Alexandre
>> >
>> > Em 24 de jun de 2018, à(s) 07:59, sameer mughal <pcs.sameer1 at gmail.com>
>> > escreveu:
>> >
>> > > Hi All,
>> > > I am facing ipsec tunnel flapping issue on srx550. Both sides isp
>> links
>> > are
>> > > up and stable but still tunnel is flapping.
>> > > Can anyone facing similar problem or any solution to fix this issue?
>> > > _______________________________________________
>> > > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>


More information about the juniper-nsp mailing list