Hey party people.
We have a site-to-site IPSec tunnel running from an SRX-240 to a NetScreen. Recently (cause or change unknown), the VPN between the two systems has been dropping (and re-connecting) just about exactly every 50 minutes.
We looked into this and here's what we found out - the configuration is set up correctly on both sides:
SRX IKE (Phase1):
proposal $OUR_PROPOSAL {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
NetScreen IKE:
set ike p1-proposal $OUR_PROPOSAL preshare group2 esp 3des sha-1 second 86400
SRX IPSEC (Phase2):
proposal P2Proposal {
description P2_Proposal;
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;
NetScreen IPSEC:
set ike p2-proposal P2Proposal no-pfs esp aes256 md5 second 3600
What we found after doing some troubleshooting is the tunnel is dropping and being re-keyed at almost *exactly* 50 minutes, which corresponds *exactly* to the IPSec soft lifetime on the SRX.
Apr 4 10:53:48 Deleted (...) entry from the peer hash table. Reason: lifetime expire
Apr 4 11:43:14 Deleted (...) entry from the peer hash table. Reason: lifetime expire
Apr 4 12:32:44 Deleted (...) entry from the peer hash table. Reason: lifetime expire
I opened a support ticket on this, and the suggestion was to try to reboot the SRX, but I think there's more to it than that here. Anyone got any bright ideas? As it stands, the tunnel re-negotiates automatically after it drops for another 50 minutes.