Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Why does the first packet get dropped when VPN traffic is initiated for the first time?

0

0

Article ID: KB29492 KB Last Updated: 17 Sep 2014Version: 2.0
Summary:

This article explains why the first packet is dropped when VPN traffic is initiated for the first time. This is working as designed; there is no workaround.

Symptoms:

Customer has a Route/Policy based VPN configured between the Juniper and peer device. Assume Phase 1 and Phase 2 configuration elements (preshared keys, proposals) between the two devices are identical and VPN monitor and Rekey are disabled in Phase 2. Customer has initiated a ping from the local LAN behind the Juniper firewall for a local device sitting behind the remote peer. However, the first ping packet is dropped. Why does this happen?


Cause:

In debug, we see first packet drop due to 'SA inactive'. As the two peers have not yet negotiated the VPN parameters, the VPN will remain inactive. When traffic to traverse this VPN tunnel is initiated, the first packet triggers the building of the VPN and is discarded due to SA inactivity. However, by the time the second packet has been sent across the tunnel, the VPN peers have built the SA on both ends for the forthcoming packets.


Example:
SSG -> ping 2.2.2.2 from loopback.1
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 1 seconds from loopback.1
.!!!!
Success Rate is 80 percent (4/5), round-trip time min/avg/max=1/1/2 ms

In the example, the first ICMP packet is dropped and the remaining four ICMP requests are successful.


Solution:

This event is as designed. The first packet is dropped when VPN traffic is initiated because the two peers have not yet negotiated the VPN parameters.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search