Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] There is no ike SA and ipsec SA's life time is "expired"

0

0

Article ID: KB24067 KB Last Updated: 30 Jun 2020Version: 2.0
Summary:

In IPsec VPN, there is no ike SA. However, the IPsec SA's lifetime is "expired".

This article is for SRX High End devices.

Symptoms:

In a hub-spoke VPN, SRX high end is the VPN hub device. The VPN could not be established. There is no ike SA, however, there were many IPsec SA's and the SA's life time were always "expired" as shown below:

admin@SRX3400> show security ike security-associations

admin@SRX3400> show security ipsec security-associations
Total active tunnels: 3
ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port Gateway
<131079 ESP:des/ sha1 8a61b39  expir/expir   -  root  500 100.100.100.1  
>131079 ESP:des/ sha1 d1ace040 expir/expir   -  root  500 100.100.100.1
<131075 ESP:des/ sha1 a489c54  expir/expir   -  root  500 100.100.100.2 
>131075 ESP:des/ sha1 9cd99fa8 expir/expir   -  root  500 100.100.100.2 
<131074 ESP:des/ sha1 b6fc1a3  expir/expir   -  root  500 100.100.100.3 
>131074 ESP:des/ sha1 70986d44 expir/expir   -  root  500 100.100.100.3 
Cause:
This issue occurs only on high end devices, which include SRX1400, SRX3400, SRX3600, SRX5600, SRX5800

The root cause is the SRX's SPC system time is incorrect. There is no NTP related configs and the time between SPC and RE are not synced.

Here is the RE's system time:
admin@SRX3400> show system uptime
Current time: 2012-05-11 20:54:05 UTC
System booted: 2012-05-11 20:14:59 UTC (00:39:06 ago)
Protocols started: 2012-05-11 20:16:20 UTC (00:37:45 ago)
Last configured: 2012-05-11 20:54:01 UTC (00:00:04 ago) by admin
8:54PM up 39 mins, 2 users, load averages: 0.07, 0.02, 0.05

Here is the SPC's system time:
admin@root> start shell
% tnpdump
   Name                TNPaddr      MAC address     IF  MTU  E H R
master                    0x1 02:00:00:00:00:04     em0 1500 0 0 3
master                    0x1 02:00:01:00:00:04     em1 1500 0 1 3
cpp0                      0x2 02:00:00:00:00:02     em0 1500 4 0 3
re0                       0x4 02:00:00:00:00:04     em0 1500 0 0 3
re0                       0x4 02:00:01:00:00:04     em1 1500 0 1 3
fpc1.pic0               0x111 02:00:01:00:01:11     em1 1500 2 0 3
bcast              0xffffffff ff:ff:ff:ff:ff:ff     em0 1500 0 0 3
bcast              0xffffffff ff:ff:ff:ff:ff:ff     em1 1500 0 1 3

root@root% telnet -Ji fpc1.pic0
Trying 128.0.1.17...
Connected to fpc1.pic0.
Escape character is '^]'.

SPC1_PIC0 (ttyp0)

login: root

--- JUNOS 11.4R2.14 built 2012-03-17 17:44:30 UTC

root@SPC1_PIC0% date
Thu Jul 2 12:39:39 UTC 1987  <--- SPC's time is incorrect
Solution:

NTP server is the solution:

admin@SRX3400> show configuration system ntp
server 133.100.11.8;
server 91.189.94.4;

admin@SRX3400> set date ntp
11 May 13:04:51 ntpdate[2519]: step time server 133.100.11.8 offset -0.018721 sec

root@SRX3400% tnpdump
   Name                TNPaddr      MAC address     IF  MTU  E H R
master                    0x1 02:00:00:00:00:04     em0 1500 0 0 3
master                    0x1 02:00:01:00:00:04     em1 1500 0 1 3
cpp0                      0x2 02:00:00:00:00:02     em0 1500 4 0 3
re0                       0x4 02:00:00:00:00:04     em0 1500 0 0 3
re0                       0x4 02:00:01:00:00:04     em1 1500 0 1 3
fpc1.pic0               0x111 02:00:01:00:01:11     em1 1500 2 0 3
bcast              0xffffffff ff:ff:ff:ff:ff:ff     em0 1500 0 0 3
bcast              0xffffffff ff:ff:ff:ff:ff:ff     em1 1500 0 1 3
root@Test% telnet -Ji fpc1.pic0
Trying 128.0.1.17...
Connected to fpc1.pic0.
Escape character is '^]'.

SPC1_PIC0 (ttyp0)

login: root

--- JUNOS 11.4R2.14 built 2012-03-17 17:44:30 UTC
date
root@SPC1_PIC0% date
Fri May 11 13:06:58 UTC 2012   <--- SPC's sytem time is correct

Then the ike/IPsec SAs are correct:

admin@Test> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
276505830 UP    087189ea5eb0ce5b 52cddb1a95493f24  Main           100.100.100.1
293282873 UP    aeef98f48a27ac56 c03ea73f5b2df752  Main           100.100.100.2
310060266 UP    004e5560499dc752 e41788e7abeb603f  Main           100.100.100.3
 

admin@Test> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
  Total active tunnels: 3
  ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway
<131079   ESP:des/ sha1 8d211f8  28767/unlim   -   root 500  100.100.100.1
>131079   ESP:des/ sha1 d1ace044 28767/unlim   -   root 500  100.100.100.1
<131075   ESP:des/ sha1 ad41baa  28789/unlim   -   root 500  100.100.100.2
>131075   ESP:des/ sha1 9cd99fb6 28789/unlim   -   root 500  100.100.100.2
<131074   ESP:des/ sha1 b16850c  28756/unlim   -   root 500  100.100.100.3
>131074   ESP:des/ sha1 70986d48 28756/unlim   -   root 500  100.100.100.3 
Modification History:
2020-06-24: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search