Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IPSec tunnel between a NetScreen and a Windows 2003 based computer (including ISA server) drops every few minutes.

0

0

Article ID: KB9347 KB Last Updated: 21 Jun 2010Version: 3.0
Summary:
IPSec tunnel between NetScreen firewall and Windows 2003 server or Microsoft ISA server running on Windows 2003 device drops every 3 to 10 minutes. If VPN Monitor with rekey is enabled or if there is active traffic across the VPN, Phase 2 tunnel renegotiates every 3 to 10 minutes.
Symptoms:

Microsoft Windows 2003 server has multiple known issues that cause IPSec Phase 2 tunnels to drop every 3 to 10 minutes. Microsoft KBs KB907259 and KB923339 explain the issues.

 

Solution:

Please request the Hotfixes, mentioned in the KBs below, from Microsoft and apply them on the Windows 2003 server.

http://support.microsoft.com/kb/907259 - Cannot sustain a connection for longer than 3 to 10 minutes between a Microsoft Windows Server 2003 Service Pack 1 (SP1)-based computer and a Linux-based computer

http://support.microsoft.com/kb/923339 - The client connections are dropped frequently when you use the IPSec tunnel through a NAT device on a Windows Server 2003

In addition the above two issues there is also a known issue with the IKE Phase2 idle timeout in Windows 2003

If the above Hotfixes do not fix the issue, try the following registry entry to set the SAIdleTime to the same value as the IKE Phase 2 timeout. The following example sets SAIdleTime to 3600 seconds, assuming IKE Phase 2 time is 3600 seconds as well.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
Value name: SAIdleTime
Data Type: REG_DWORD
Value data: 3600

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search