VPN connection lost every 60 min

[HowdyHai]

We have many Netscreen 5GT VPN gateway-gateway to Checkpoint device. One of them reset the tunnel every 60 minutes. We cannot access teh 5GT for 60 minutes and ping died after 60 minutes. The 5GT was not reset since we the log still exist. After approx 10 minutes, we was able to connect to the system again. The debug shows:

ipid = 569(0239), @03234150
other ip packet handle.

After the last VPN tunnel connection.

Does anyone know anything regarding the 5GT reset any connection/port every 60 minutes?

 

[MaxPipeline]

60 minutes sounds like it may be coinciding with phase2 lifetime. Try increasing lifetime in the P2 proposal and see if the issue coincides again with the new P2 lifetime. If so then that's where I would focus my troubleshooting.

 

[heyyunus]

Also turn off the VPN Monitor & Rekey option


-------
Yunus

 

[Yarzie]

I had a similar problem on a NS25 - logged it to Juniper TAC and this is what they said. I haven't tried it yet as system is live

by default, VPN tunnels will timeout if there is no activity after 1 hour. To specify
the timeout for the VPN, create a custom Phase 2 proposal, and specify the timeout
desired for that proposal. Specify the custom Phase 2 proposal when creating the VPN.

To create a new Phase 2 proposal in the WebUI:

VPNs > AutoKey Advanced > P2 Proposal > New