Good Afternoon,
I've been having some issues with a route based VPN we have between our SRX clsuter and a customer Checkpoint
Generally, the VPN is working fine. We have 2 subnets on our side hitting a single subnet on the customer side.
However, since comissioning, there have been occasions when traffic suddenly stops, despite the tunnel showing as up.
After some troubleshooting and trying to catch the issue in the act, it appears to occur at the expiery of the IKE lifetime.
If I show security ike security-associations I get multiple entries from the remote address, each with a different responder cookie - IE
run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1680778 DOWN 2f3630c7793bb71d 043d90f6ba3fa714 IKEv2 xxx.yyy.107.112
1680779 DOWN 2f3630c7793bb71d 77519331f7326753 IKEv2 xxx.yyy.107.112
1680780 DOWN 2f3630c7793bb71d 693bfd25d67047c8 IKEv2 xxx.yyy.107.112
1679918 UP 2f3630c7793bb71d ea64ec80ed888de5 IKEv2 xxx.yyy.107.112
In the above state - no traffic will pass - although the IPSEC claims to be up...
If I manually clear the Index that is DOWN - the service will restored.
If I leave the firewall alone, eventually it seems to sort itself out and restore traffic
However a several minute outage every 8 hours is growing tiresome
Has anyone ever come accross something like this before or have any suggested solutions?
Much appreciated