Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Unable to display Phase 1 IKE SA on high end SRX Platforms, even though VPN is up and VPN traffic is working.

0

0

Article ID: KB17537 KB Last Updated: 23 Apr 2013Version: 3.0
Summary:

This article shows a method to sync the SPU and RE time when these conditions are present: the output of the command show security ike security-association does not display any output, however the command show security ipsec security-association shows that the SA and VPN tunnel is up.

Symptoms:

Symptoms:

  • show security ike security-association does not display any output.
  • show security ipsec security-association shows SA information, with lifetime expired.
  • VPN tunnel is actually up.
  • VPN traffic is actually passing across the device.
  • Problem occurs on all high end platforms, including SRX-1400, SRX-3000, and SRX-5000 platforms.
Cause:
 
Solution:

In cases when configuring IPSec VPNs on SRX devices with multiple SPUs, it is required to configure NTP so that the timestamps are synchronized between the multiple SPU boards.  If there is a mismatch between the SPU boards and system clock, there could be a time sync issue with the result that the IPSec SA will show the lifetime as expired, and there will be no IKE SA output.

Example:

root@srx3600> show security ike security-association

root@srx3600> show security ipsec security-association
Total active tunnels: 1
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<2 1.1.1.1 500 ESP:aes-128/md5 3566b635 expir/expir - 0
>2 1.1.1.1 500 ESP:aes-128/md5 a38860a expir/expir - 0
The reason for this symptom is because the SPU and RE needs to have its time sync'd.  The IKE negotiation is stored in the SPU, and sends the SA creation time (in seconds) and negotiated lifetime (in seconds) to the RE.  The RE uses the SA creation time and its current time along with the negotiated lifetime to determine the remaining lifetime in seconds.  If the SPU time is behind, the RE will treat the SA as expired, and displays the information in the show security ipsec security-association.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search