This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

VPN flapping

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN flapping

SOC_CSG
L4 Transporter

‎07-30-2015 08:20 AM

Hi, we have configured a VPN site-to-site between Juniper SSG and PA3020. The tunnel is flapping up/down. The VPN is well-configured and we have configured VPN monitor with Rekey option in the SSG.  How could we know why the tunnel is flapping all the time???  i attached the PA logs

2015-07-30 16:52:11 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====

====> Established SA: 116.x.x.x[500]-121.x.x.x[500] message id:0xF6C5386E, SPI:0xB9D02A28/0x598B9BDB <====

2015-07-30 16:52:11 [INFO]: SADB_UPDATE ul_proto=255 src=121.x.x.x[500] dst=116.x.x.x[500] satype=ESP samode=tunl spi=0xB9D02A28 authtype=SHA1 enctype=3DES lifetime soft time=3600 bytes=0 hard time=3600 bytes=0

2015-07-30 16:52:11 [INFO]: SADB_ADD ul_proto=255 src=116.x.x.x[500] dst=121.x.x.x[500] satype=ESP samode=tunl spi=0x598B9BDB authtype=SHA1 enctype=3DES lifetime soft time=3600 bytes=0 hard time=3600 bytes=0

2015-07-30 16:52:11 [INFO]: IPsec-SA established: ESP/Tunnel 121.x.x.x[500]->116.x.x.x[500][500] spi=3117427240(0xb9d02a28)

2015-07-30 16:52:11 [PROTO_NOTIFY]: ====> IPSEC KEY INSTALLATION SUCCEEDED <====

====> Installed SA: 116.x.x.x[500]-121.x.x.x[500] SPI:0xB9D02A28/0x598B9BDB lifetime 3600 Sec lifesize unlimited <====

2015-07-30 16:52:11 [INFO]: keymirror add start ++++++++++++++++

2015-07-30 16:52:11 [INFO]: keymirror add for gw e, tn 20, selfSPI B9D02A28, retcode 0.

[PROTO_NOTIFY]: ====> IPSEC KEY DELETED <====

1 person had this problem.
Labels:
0 Likes Likes
2 REPLIES 2

pankaku
L5 Sessionator

‎07-30-2015 09:15 AM

Could you please provide a output of the command

tail lines 300 mp-log ikemgr.log

Run the above command when rekey is happening. Also make sure that lifetime is matching on both side for both phases.

Phase 2 lifetime should be less than phase 1 lifetime.

SOC_CSG
L4 Transporter
In response to pankaku

‎07-30-2015 10:58 AM

this was the problem

thanks

http://kb.juniper.net/InfoCenter/index?page=content&id=KB8530

0 Likes Likes
  • 4305 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks