We've a number of different types of MX's under management, from what we've seen IPSEC on the MX is not that reliable, it can often drop out and seems to need a constant traffic flow otherwise it will drop IPSEC tunnels, has anyone else experienced this and managed to resolve?
Completely agree, using AutoVPN with Meraki kit is rock solid, no issues at all, its the non-Meraki VPN aka regular IPSEC which seems to be very flaky for some reason, have tried with different vendors (and ironically most vendor kit we have is actually Cisco routers and ASA's) they seem to drop for no real reason when AutoVPN is happy and continues to work (so doesnt point to circuit issues etc).
This is all mainly Cisco ASA's running IKEv1 and v2 to an MX, can be physical or vMX we seem to get the same issues. Tunnels will drop out for no apparant reason and stop working, they need a lot of intervention to get them going again it seems, has been on IKE v1 and v2 and to different ASA's different IOS versions etc.
We dont use Fortinet kit so cant comment on those.
Ok on doing some more work on this it appears the MX IPSEC tunnels do not like it if they dont have constant traffic, not sure what the timeout is but if they have no traffic passing the tunnel drops and you need a ping or something similar to get the tunnel up and working again, they dont stay up on their own, we're seeing this on multiple MX models in different customer estates.
Does anyone know what the timeout is for the IPSEC drop out?