NS to PIX VPN Issue - Phase 2

  • This is the scenario

    NS initiates a VPN to a PIX
    Both devices negotiate and a VPN is established.
    Data passes across the VPN and the counters/timers on the SA start to count down.
    All is lovely until the P2 re-keys.

    The re-key is initiated and new SA’s are created.  The NS starts to pass data down the VPN, (as shown by the SA stat counters), however the PIX refuses to use the new SA.

    Do a clear ike-cookie a.b.c.d and everything is torn down, re-established and kicks back into life.

    I have tried shortening the P1’s expiry times to be the same as the P2, (at both ends).  Thinking that although this is not very elegant, it may get the service working, (and the project off my back).

    Has anyone else seen this kind of behaviour?
    Any suggestions.

    I know that I have seen this between a Check Point and a Pix, but can’t remember what I did to fix the thing.

  • The problem is, I think, both devices are doing rekey at the same time.
    In that case,  “get event” should show many “Bad SPI” outputs.

    The workaround is:
    1. adjusting when to start rekey (soft lifetime buffer) on the Juniper device.
    2. set ike initiator-set-commit/ set ike responder-set-commit (Both are needed. Let the peer device know which SA should be used).

  • Thanks.

    That ties in nicely with the behaviour built into the Cisco.

    I’ll give it a squirt and give feed back.


  • Hi,

    How about

    set ike initiator-set-commit


  • BTW, the following is not set:

    set ike responder-set-commit