Juniper SRX Site-to-Site VPN Issues – Changing IP and Default Route

juniper-srxvpn

so, we have a SRX100 in one site (call it site B) and a SRX240 on our main site (Site A). the ISP at site B asked us to change our IP address from one network to another. (due to some routing issues they were faceing). the problem is that we have a site2site vpn between the two (ike).

so, tonight I am sitting at site B, and want to fix this.

I change all the setting on the VPN on both sites, to reflect the changes, and update any firewall rule that need updating for this to work.

note 1) on site B, at this point I ADD the IP address in addition to the old ip address (I dit not replace it), but I did replace the default route, and the vpn connection end points.

I then commit at site A first (since I have to do it while I can still reach it by vpn). then commit site B.

I notice that I have internet stil on site B, which is good, but the VPN did NOT come up at all.

I look in the logfiles on both sides (I have a secondary vpn to reach the site A switch). and there is nothing there! no trace of the vpn at all.. which is strange.

then I notice that my ip as seen from outside is still the old ip address on site B (whatismyip.org or such).

to, then I remove the old ip from the firewall.. and committ again (siteb).

then, the VPN comes UP, and it shows in the logfiles like it should.

so, I try to add the ip address back again to test, and the vpn goes down.

and finally I try to remove the old ip on site B again… but the VPN does NOT come up.. and again nothing in the logs..

Best Answer

so, I think I have found the solution finally.

at both sides I run this command:

show security ike security-associations

Site B showed

Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
<anumber> DOWN   <some data>  <0000000000000000>  Main           <correct ip>

which is logical, since the vpn IS down.

then I ran same on the other side (side A)

it showed this: Index Remote Address State Initiator cookie Responder cookie Mode UP Main UP Main
UP Main

which is strange since again, the vpn is DOWN..

so, I tried to run this command:

clear security ike security-associations index <index from first one above>

and then the vpn came up again... and I finally alro removed the other "old ip" line, and now only have one line (site A)

    <anumber> <newip>   UP     <some data>  <some data>  Main

and similarly site B shows

<anumber> UP     <some data>  <some data>  Main           <correct ip>

and the vpn seems stable.

I did not find this solution on any of the juniper FAQ, and googled a lot, but managed by a bit of luck to solve it. so I wanted to document it a bit here just in case someone (like me) need it.

IF: I am completely wrong here, and what happened here just luck and not related, I do hope that you will comment or edit thanks!

Related Solutions

Juniper SRX240H loses connectivity to upstream router

Here's some version info that should help. I think that the other thing that immediately strikes me is autonegotiation being disabled, which shouldn't be necessary. Is this something that your provider is asking for, or based on learned behaviors? I recommend reading what's out there, since autonegotiation has been recommended for over 10 years. Anything you're connecting to should work fine with it as well (the last time I had issues was on a 3500XL - we're talking ooooold). Check out:

http://etherealmind.com/ethernet-autonegotiation-works-why-how-standard-should-be-set/

First off, Junos 11.4R7.5 is the supported release recommended for SRX240, as of 8 April 2013, per JTAC (since you mentioned versions).

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21476 (need login)

Also, JTAC recommends EEOL releases on SRX or J Series for IPsec features (may or may not apply, but FYI). (For me, the only releases available for SRX240H on juniper.net are 10.4, 11.4, and 12.1 - that may help set your expectations on what to run.)

http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2013-01-822&actionBtn=Search (need login)

You are also running a version that was released before the malformed TCP vulnerability came out. I shudder to think that a live exploit exists, but you definitely need to be on versions that were published around January or February 2013, or later. The versions you need for 11.2 are 11.2R5.5 or 11.2R7.5 (or higher)

http://osvdb.org/89751

I mentioned versions because the SRX is a 'rapidly evolving' platform as well, and anecdotal evidence and hearsay suggests that you'll want to upgrade more frequently.

Vpn – Site-to-Site VPN Tunnel Up Not Passing Traffic

The resolution to my problem is to upgrade my ASA image to 8.6.1(5).

This resolves bug CSCtq57752

The workaround to the bug is to lower the crypto map's timed lifetime and increase the crypto map's traffic volume threshold:

crypto map *YOUR-CRYPTO-MAP ID* set security-association lifetime seconds 3600
crypto map *YOUR-CRYPTO-MAP ID* set security-association lifetime kilobytes 2147483647

The above crypto map lowers the lifetime to 3600 seconds and increases the kilobytes threshold to the highest value. In my case, I just have to ensure the seconds lifetime is depleted before the kilobytes threshold.

Best Answer

Related Solutions

Juniper SRX240H loses connectivity to upstream router

Vpn – Site-to-Site VPN Tunnel Up Not Passing Traffic

Related Topic