Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Tunnel interface st0.0 goes down on SRX cluster serving as hub in hub and spoke network

0

0

Article ID: KB24039 KB Last Updated: 08 Sep 2020Version: 2.0
Summary:

Intermittently, the route-based tunnel interface st0.0 goes down on the hub SRX cluster, resulting in failure of transit traffic to pass through the VPN tunnel.

In this article, we will examine how the VPN monitor configured on the SRX cluster hub takes down the st0.0 interface after unsuccessful reachability attempts to the remote peer because of physical interface flapping. A workaround is also suggested that could help avoid this scenario.

 

Symptoms:

The following snippet from the logs shows that the VPN monitor, which is configured for every single VPN on the hub, is taking the st0.0 interface down after being unable to reach the destination IP address on the spoke.

srx-node1 0055-guesthub-fw-node1 svcs_fwdd_ifl_event_handler 576: IF is not services PIC subunit (st0)
srx-node1 kmd[1305]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=3ffed228, src_ip=147.179.29.102, dst_ip=147.179.192.245]
srx-node1 kmd[1305]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=3ffed228, src_ip=147.179.29.102, dst_ip=10.102.24.7]
srx-node1 kmd[1305]: IKE Phase-2 Failure: IKE Phase-2 negotiation retry limit reached [spi=3ffed228, src_ip=147.179.29.102, dst_ip=10.102.151.10]
srx-node1 mib2d[1318]: SNMP_TRAP_LINK_DOWN: ifIndex 508, ifAdminStatus up(1), ifOperStatus down(2), ifName st0.0

 

Cause:

The following logs from the NetScreen SSG spoke shows that the external interface that is connecting the spoke to the hub is physically flapping. Thus the VPN monitoring on the hub is not getting a response from this peer because of which it brings down the st0.0 interface.

duplex half, speed 10M.
system notif 00513 The physical state of interface
ethernet0/4 has changed to Up.
system notif 00612 Switch event: the status of ethernet
port ethernet0/4 changed to link up,
duplex full, speed 10M.
system notif 00513 The physical state of interface
ethernet0/4 has changed to Down.
system notif 00612 Switch event: the status of ethernet
port ethernet0/4 changed to link down,
duplex half, speed 10M.
system warn 00019 Syslog cannot connect to the TCP
server 10.177.72.61; the connection is
closed.

 

Solution:

A configuration change is required to remove VPN monitoring from the hub and use it on the spoke. This way, the spoke will be the initiator of the VPN tunnel and a physical link flap between the hub and spoke will not trigger the VPN monitor to take down the tunnel st0 interface on the hub.

The following command is used to enable VPN monitoring:

root@srx# set security ipsec vpn <name> Name of the VPN vpn-monitor

 

Modification History:

2020-09-08: Article reviewed for accuracy; minor, non-technical changes made; article valid and relevant

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search