[j-nsp] MX480 ospf3 ipsec jammed?

Scott Harvanek scott.harvanek at login.com
Mon Jun 17 20:30:18 EDT 2019


show ipsec security-associations
Security association: tusldc2-distribution
     Direction SPI         AUX-SPI     Mode       Type     Protocol
     inbound   256         0           transport  manual AH
     outbound  256         0           transport  manual   AH

Junos: 16.1R4-S2.2

Scott H.
Login, LLC

On 6/16/19 11:20 AM, Scott Harvanek wrote:
> I’ll get those outputs when at a terminal but the configuration did not change and this was working pre reboot :/
>
> The only other change was a failed MPC that was replaced.
>
> Downstream devices are sending HELLOs but this 480 is not indicating it’s receiving them via ospf3 stats output which is weird but connectivity is good.
>
> -Scott H
>
>> On Jun 16, 2019, at 2:08 AM, Anderson, Charles R <cra at wpi.edu> wrote:
>>
>> Silly question, does the sa name match between "ospf3...ipsec-sa FOO"
>> and "security ipsec security-association FOO..."?
>>
>> What does "show ipsec security-associations" show?
>>
>> What Junos version?  There was a memory leak or file descriptor leak
>> in older Junos that killed the ipsec daemon after a long uptime, but I
>> don't recall anything that would cause it to fail right after reboot.
>> But you can try "restart ipsec-key-management" anyway.
>>
>>> On Sat, Jun 15, 2019 at 09:02:30PM -0500, Scott Harvanek wrote:
>>> Hey guys,
>>>
>>> Getting something interesting after a reboot;
>>>
>>> Jun 16 01:58:45  MX480.1 kernel: ipsec_find_sa_in_so_gen(1999): Couldn't
>>> dereference the sa name = XXXXXXXXXX
>>>
>>> When trying to bring up the IPSec tunnel for ospf3 peering ( which never
>>> establishes ), any ideas what this means? Do I need to restart the ipsec
>>> key daemon?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list