Options
SRX Series VPN's unreliable behind ASA 5510.
msteinhilber
Member Posts: 1,480 ■■■■■■■■□□
in Juniper
Hey all, wondering if someone else here might have some input for a Juniper newbie (and somewhat of a Cisco newbie at least with VPN's goes too).
I've been able to establish route-based tunnels from our SRX240 at our corporate location to SRX100's and our Linksys RV042's (being replaced by SRX100's as we get out to all of our offices) but they are unreliable. I initially got things working on a Friday afternoon, had several tunnels up and running and upon coming in Monday I discovered they were down and they would not come back up. Nothing I tried would bring the tunnel back up, it would complete phase 1 but not phase 2 - I believe that's the case at least since they showed up in ike security-associations but nothing in ipsec security-associations, correct me if I'm wrong
Rebooting the device would allow the tunnel to come back up (is there a cli command to just restart the vpn tunnels?) for some time again until the same thing occurs a few hours or so later. This was all the common theme when the SRX240 was sitting behind our ASA 5510. Eventually the ASA 5510 will be replaced by the SRX240 but for the time being we need both up. If I take the SRX240 home and config it there I can build as many tunnels as I want and they are 100% reliable over the course of a week so I'm assuming it's something with the ASA.
I'm out of the office now and don't have my configs handy but our ASA is using static nat to assign one of our public IP's to the SRX. I've opened all traffic to the SRX (access-list 111 extended permit ip any host X.X.X.X). Researched the issue and found some suggestions to have the ASA inspect ipsec-pass-thru and still no luck.
Any thoughts? I don't have any real options to get the SRX on our network edge bypassing the ASA since our ISP provides the ASA with a /30 which they route our usable /27 IP space to. I have enough unused IP space in our /27 that they could break that up and set us up with another /30 and route a smaller space to that but they don't seem willing to cooperate. I realize I haven't provided too much detail but I wanted to just get this out here quick before I head out the door. I'll fill in more details of the scenario if they are needed once I get back home a bit later.
Thanks!
I've been able to establish route-based tunnels from our SRX240 at our corporate location to SRX100's and our Linksys RV042's (being replaced by SRX100's as we get out to all of our offices) but they are unreliable. I initially got things working on a Friday afternoon, had several tunnels up and running and upon coming in Monday I discovered they were down and they would not come back up. Nothing I tried would bring the tunnel back up, it would complete phase 1 but not phase 2 - I believe that's the case at least since they showed up in ike security-associations but nothing in ipsec security-associations, correct me if I'm wrong
Rebooting the device would allow the tunnel to come back up (is there a cli command to just restart the vpn tunnels?) for some time again until the same thing occurs a few hours or so later. This was all the common theme when the SRX240 was sitting behind our ASA 5510. Eventually the ASA 5510 will be replaced by the SRX240 but for the time being we need both up. If I take the SRX240 home and config it there I can build as many tunnels as I want and they are 100% reliable over the course of a week so I'm assuming it's something with the ASA.
I'm out of the office now and don't have my configs handy but our ASA is using static nat to assign one of our public IP's to the SRX. I've opened all traffic to the SRX (access-list 111 extended permit ip any host X.X.X.X). Researched the issue and found some suggestions to have the ASA inspect ipsec-pass-thru and still no luck.
Any thoughts? I don't have any real options to get the SRX on our network edge bypassing the ASA since our ISP provides the ASA with a /30 which they route our usable /27 IP space to. I have enough unused IP space in our /27 that they could break that up and set us up with another /30 and route a smaller space to that but they don't seem willing to cooperate. I realize I haven't provided too much detail but I wanted to just get this out here quick before I head out the door. I'll fill in more details of the scenario if they are needed once I get back home a bit later.
Thanks!