VPN flapping

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN flapping

L4 Transporter

Hi, we have configured a VPN site-to-site between Juniper SSG and PA3020. The tunnel is flapping up/down. The VPN is well-configured and we have configured VPN monitor with Rekey option in the SSG.  How could we know why the tunnel is flapping all the time???  i attached the PA logs

2015-07-30 16:52:11 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION SUCCEEDED AS RESPONDER, (QUICK MODE) <====

====> Established SA: 116.x.x.x[500]-121.x.x.x[500] message id:0xF6C5386E, SPI:0xB9D02A28/0x598B9BDB <====

2015-07-30 16:52:11 [INFO]: SADB_UPDATE ul_proto=255 src=121.x.x.x[500] dst=116.x.x.x[500] satype=ESP samode=tunl spi=0xB9D02A28 authtype=SHA1 enctype=3DES lifetime soft time=3600 bytes=0 hard time=3600 bytes=0

2015-07-30 16:52:11 [INFO]: SADB_ADD ul_proto=255 src=116.x.x.x[500] dst=121.x.x.x[500] satype=ESP samode=tunl spi=0x598B9BDB authtype=SHA1 enctype=3DES lifetime soft time=3600 bytes=0 hard time=3600 bytes=0

2015-07-30 16:52:11 [INFO]: IPsec-SA established: ESP/Tunnel 121.x.x.x[500]->116.x.x.x[500][500] spi=3117427240(0xb9d02a28)

2015-07-30 16:52:11 [PROTO_NOTIFY]: ====> IPSEC KEY INSTALLATION SUCCEEDED <====

====> Installed SA: 116.x.x.x[500]-121.x.x.x[500] SPI:0xB9D02A28/0x598B9BDB lifetime 3600 Sec lifesize unlimited <====

2015-07-30 16:52:11 [INFO]: keymirror add start ++++++++++++++++

2015-07-30 16:52:11 [INFO]: keymirror add for gw e, tn 20, selfSPI B9D02A28, retcode 0.

[PROTO_NOTIFY]: ====> IPSEC KEY DELETED <====

2 REPLIES 2

L5 Sessionator

Could you please provide a output of the command

tail lines 300 mp-log ikemgr.log

Run the above command when rekey is happening. Also make sure that lifetime is matching on both side for both phases.

Phase 2 lifetime should be less than phase 1 lifetime.

  • 4329 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!