Solved

Juniper VPN tunnels flapping up and down after firmware upgrade

Posted on 2014-01-09
9
989 Views
Last Modified: 2014-03-17
Experts,

We recently upgraded our branch office SRX650  firmware from 10.2.3 to 10.4.3 a couple of weeks ago.  Afterwards we've seen VPN tunnels flap up and down on LAN side.  During which the WAN side never goes down.  Funny thing is when you login into one of the SRX220 you do show interfaces terse the LAN side shows up/up.

We have site to site VPN tunnels from our branch SRX650s to field SRX220s.  

I've tried rebooting the SRX220's, lowering tcp-mss and ipsec-vpn from 1300 to 1360 but to no avail.  My SRX650 CPU utilization is low.  The monitoring software I'm using to monitor the tunnels test time has been upped to test less frequent to no avail.

We have plenty of other VPN tunnels on the SRX650 that aren't flapping. I'm kind of lost and need some help.
0
Comment
Question by:Greggor25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 39770663
Can you upgrade SRX650 to the recommended version of 11.4R10.3 and see if you see the issue again.

http://kb.juniper.net/KB21476

Please update and update.

Thank you.
0
 

Author Comment

by:Greggor25
ID: 39771480
I have to get a maintenance window for outage to push firmware update.

Last time I copied the firmware to both nodes via USB stick and rebooted them simultaneously to not break the cluster.

Is this the recommended upgrade procedure?
0
 
LVL 13

Expert Comment

by:Quori
ID: 39772368
You can do an in-service upgrade which has minimal impact on live traffic.

Follow this:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947
0
Webinar: MongoDB® Index Types

Join Percona’s Senior Technical Services Engineer, Adamo Tonete as he presents “MongoDB Index Types, How, When and Where Should They be Used?” on Wednesday, July 12, 2017 at 11:00 am PDT / 2:00 pm EDT (UTC-7).

 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 500 total points
ID: 39773204
As per Juniper documentation In service Software Upgrade or ISSU is not supported on branch SRX; but there are few customers who have reported to have successfully done ISSU on branch SRX boxes.

http://forums.juniper.net/t5/SRX-Services-Gateway/For-branch-SRX-running-HA-will-ISSU-be-supported-Perhaps-in-the/td-p/180885

Please follow the KB posted by expert Quori; also look at above link for more information.

Please implement and update.

Thank you.
0
 

Author Comment

by:Greggor25
ID: 39776859
The In service upgrade and documentation provided is very good. How long of maintenance window would I need to complete the upgrade?

Hour or two hours?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39777072
Take max of two hours to be on safer side; ideally both the boxes would get upgraded and operational in max 40 minutes.

Thank you.
0
 

Author Comment

by:Greggor25
ID: 39813283
I will perform the upgrade in two weeks and let you know the result. In the mean time I have a ticket open with JTAC to see if they have any answers.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 39814460
Sure; please update us with your findings.
0
 

Author Comment

by:Greggor25
ID: 39934876
Updated the SRX650 cluster to Juniper recommended 11.4R10.3.  Appears to have fixed the issue.  

I have noticed after updating the JWeb interface pops policies and configuration a lot faster.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question