Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] [SRX] st0 interfaces stay up even when the Physical Interface is down

0

0

Article ID: KB21227 KB Last Updated: 26 Feb 2020Version: 4.0
Summary:
This article describes the issue of the st0 interfaces being up, even when the Physical Interface is down.
Symptoms:
Environment:
 
  • Route-Based VPN using st0 interfaces.
  • Optimized VPN Monitoring must be configured.
  • IKE must be set to the aggressive mode.
  • Dynamic-to-Static Site-to-Site VPN Connection, in which only Clients can send connection requests out to establish the IPSec tunnel to the Servers. Servers don't have any knowledge of their prospective Clients.
  • Dynamic host must be set locally on VPN Server, as a method of IKE ID authentication.
  • Tunnels must be set to Establish Immediately 
  • SRX Junos OS 10.3R3.7, 10.4R1.9,10.4R9.2, 11.2R6.3, 11.4R1.6 and 11.4R2.14


Topology:
SRX-A========Internet===========Remote Client

Configuration:

SRX-A
ike {
    proposal stand {
        authentication-method pre-shared-keys;
        authentication-algorithm sha1;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 180;
    }
    policy ike-policy-repro {
        mode aggressive;
        proposals stand;
        pre-shared-key ascii-text "$ABC123"; ## SECRET-DATA
    }
    gateway ike-gw-repro {
        ike-policy ike-policy-repro;
        dynamic hostname host1.example.com;
        no-nat-traversal;
        external-interface ge-0/0/2;
    }
}
ipsec {
    vpn-monitor-options {
        interval 10;
        threshold 8;
    }
    proposal stand {
        protocol esp;
        authentication-algorithm hmac-sha1-96;
        encryption-algorithm 3des-cbc;
        lifetime-seconds 180;
    }
    policy stand {
        perfect-forward-secrecy {
            keys group2;
        }
        proposals stand;
    }
    vpn ipsec-vpn-repro {
        bind-interface st0.1;
        vpn-monitor {
            optimized;
            source-interface ge-0/0/2;
            destination-ip 1.1.1.1;
        }
        ike {
            gateway ike-gw-repro;
            ipsec-policy stand;
        }
    }
}

The issue is that the physical interface is down, but st0.X is still shown as Up. The concern is that if the tunnel is down (i.e. no IKE or IPsec), why are the st0.X interfaces showing as Up?
In addition, a reboot does not fix the issue.
Cause:
 The issue is due to a bug in the Junos OS code.
Solution:
  • This behavior is not seen in IKE Main Mode or when both sides are statically configured.
  • This behavior is not noticed in Junos 10.0, 10.3R4, 11.3R1, 11.2R1, 11.1R2, and 10.4R5.
  • The issue has been fixed in all the newer Junos OS releases
  • The release note for this bug can be viewed here: PR591975
Modification History:
2020-02-26: minor non-technical edits.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search