asked on
Juniper VPN tunnels flapping up and down after firmware upgrade
Experts,
We recently upgraded our branch office SRX650 firmware from 10.2.3 to 10.4.3 a couple of weeks ago. Afterwards we've seen VPN tunnels flap up and down on LAN side. During which the WAN side never goes down. Funny thing is when you login into one of the SRX220 you do show interfaces terse the LAN side shows up/up.
We have site to site VPN tunnels from our branch SRX650s to field SRX220s.
I've tried rebooting the SRX220's, lowering tcp-mss and ipsec-vpn from 1300 to 1360 but to no avail. My SRX650 CPU utilization is low. The monitoring software I'm using to monitor the tunnels test time has been upped to test less frequent to no avail.
We have plenty of other VPN tunnels on the SRX650 that aren't flapping. I'm kind of lost and need some help.
We recently upgraded our branch office SRX650 firmware from 10.2.3 to 10.4.3 a couple of weeks ago. Afterwards we've seen VPN tunnels flap up and down on LAN side. During which the WAN side never goes down. Funny thing is when you login into one of the SRX220 you do show interfaces terse the LAN side shows up/up.
We have site to site VPN tunnels from our branch SRX650s to field SRX220s.
I've tried rebooting the SRX220's, lowering tcp-mss and ipsec-vpn from 1300 to 1360 but to no avail. My SRX650 CPU utilization is low. The monitoring software I'm using to monitor the tunnels test time has been upped to test less frequent to no avail.
We have plenty of other VPN tunnels on the SRX650 that aren't flapping. I'm kind of lost and need some help.
Network SecurityNetwork ManagementNetworking
Last Comment
Greggor25
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You can do an in-service upgrade which has minimal impact on live traffic.
Follow this:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947
Follow this:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB17947
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
The In service upgrade and documentation provided is very good. How long of maintenance window would I need to complete the upgrade?
Hour or two hours?
Hour or two hours?
Take max of two hours to be on safer side; ideally both the boxes would get upgraded and operational in max 40 minutes.
Thank you.
Thank you.
ASKER
I will perform the upgrade in two weeks and let you know the result. In the mean time I have a ticket open with JTAC to see if they have any answers.
Sure; please update us with your findings.
ASKER
Updated the SRX650 cluster to Juniper recommended 11.4R10.3. Appears to have fixed the issue.
I have noticed after updating the JWeb interface pops policies and configuration a lot faster.
I have noticed after updating the JWeb interface pops policies and configuration a lot faster.
Last time I copied the firmware to both nodes via USB stick and rebooted them simultaneously to not break the cluster.
Is this the recommended upgrade procedure?