I have noticed the issue a few times, when the VPN was UP but no traffic was going through. I had to clear the VPN for the traffic to flow again. Has any one had this issue and is there anyway to stop this from happening again?
When monitoring the policies, i could see incomplete applications which would be normal when traffic doesnt flow through the VPN
ENCAP and DECAP counters are the same and never increment.
Could you please let me know the other end device vendor ( other end of the tunnel). Also check PROXY-ID on both sides.
Only Palo Alto and Juniper firewall take 0.0.0.0 /0 as a PROXY ID by default. If the other end is a different vendor BOX then you have to manually configure the PROXY-ID in order to pass traffic through tunnel.
Details, Explanation about PROXY ID:
The ID payload during IPsec phase-2 negotiation, contains the proxy identities on whose behalf the initiator does the negotiation. These are generally IP address subnets, but they can have more fields, such as port, too. In the case of a site-to-site IPsec set up with two gateways doing IPsec negotiations with each other, the proxy IDs are based on rules defined on the gateways that define what type of traffic is supposed to be encrypted by the peers ( specific source, destination, protocols). So, if you have multiple subnets to allow behind both VPN peers, there will be multiple SPI ( security parameter Index) to enhance the security and administrative control over the VPN tunnel.
Thanks for the response.
We do not use proxy-ID in the configuration. The other device is a Zscaler Proxy device on the cloud.
I have checked the logs on the mp-log output but it doesnt give any detailed reason as to why it got dropped. These are the only logs
====> Expired SA: xx.xx.xx.xx-yy.yy.yy.yy cookie:608ddbb383232b8d:0480b50d1bdf2a11i <====
2014-01-10 10:23:37 [INFO]: ====> PHASE-1 SA DELETED <====
====> Deleted SA: xx.xx.xx.xx-yy.yy.yy.yy cookie:608ddbb383232b8d:0480b50d1bdf2a11i <====
2014-01-10 10:23:41 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS RESPONDER, MAIN MODE <====
Is vpn is up, mean phase 1 and phase 2 should be ok? If no traffic, mean either no route in the PA (confirmed by the incomplete log in monitor session) or no proxy ID (as mentionne by Hulk).
If VPN crash sometime, maybe:
* not same lifetime / lifesize ?
* have you configured the DPD ?
i think VPN PA-Juniper have problems with encryption 3des/aes128. I have had several problems configuring VPN SSG-PA, and i fxed it changing the encryption in phase2 so try to change the proposals for phase2.
I think your vpn pahse1 is ok but no phase2......
Are you still having the problem???
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!