Juniper SRX – VPN monitoring with a non SRX device causes VPN to flap

VPN monitoring with a non SRX device causes VPN to flap

VPN-monitoring is enabled on a SRX device and the remote end of the VPN is terminating on a non SRX device. Due to VPN-monitoring being enabled, it might cause flapping of the VPN.

Cause:

    • The VPN-monitor enables the sending of ping packets across the tunnel (in encrypted form) to the remote side gateway.
    • When these ping packets reach the remote side VPN, a SRX device accepts the packet, forwards it to the gateway, and sends a reply.
    • However, with a non SRX device, the packet does not match the proxy-identity and sends no reply.
  • Due to the ping reply not being received, the SRX device might think the VPN is down and then tries to rekey the VPN; which causes VPN to go up and down.

Solution:
The solution is to provide a source IP and destination IP address pair in the VPN-monitoring configuration, so that the ping packet being sent matches the proxy-identity on the remote side. The configuration is:

set security ipsec vpn <vpn-name> vpn-monitor destination-ip <ip-address>
set security ipsec vpn <vpn-name > vpn-monitor source-interface <source-interface>

Another workaround is to change the VPN-monitoring to optimized, so that it will not send ping packets; but instead rely on the traffic passing through the VPN to test if the VPN should be brought down. The same can be done using the following configuration:

set security ipsec vpn <vpn-name> vpn-monitor optimized

 

 

This entry was posted in Juniper and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s