Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Load balancing IPSEC SAs after In-Service Hardware Upgrade (ISHU)

0

0

Article ID: KB32475 KB Last Updated: 11 May 2018Version: 1.0
Summary:

Additional SPCs can be installed in the service gateways in a cluster without incurring downtime using ISHU. After performing an ISHU, the existing IPSEC SAs will not be load balanced by default but the new SAs will be. The existing SAs will continue to be anchored on the original SPCs. 

The SAs can be checked using the command, 'show security ike tunnel-map'

For more details, refer to documentation on show security ike tunnel-map.

Solution:

The existing IPSEC SAs can be forcefully load-balanced between all SPCs (including the newly added card) by performing one of the following actions:

  • Modify the configuration of the existing VPN (example: change gateway name) or delete and re-add the VPN configuration and commit the changes 
  • Reboot both nodes simultaneously
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search