Situation:
Third party site-to-site tunnel drops with no warning every few weeks. The local and remote ends spend a few hours timing out on p1 due to no valid IKEv1 proposals. 4-5 hours later, the problem tunnel is up again and works for several weeks.
The other tunnels on this firewall do not drop like this.
Devices:
Local end: MX60 running 14.39. Behavior occurred on 13.36 as well. (MyMeraki/aaa.aaa.aaa.aaa below)
Remote end: Some kind of Juniper SRX. (bbb.bbb.bbb.bbb below)
Settings:
Phase 1: 3DES - SHA1 - Lifetime 86400
Phase 2: 3DES - SHA1 - Lifetime 28800
IKEv1, main mode, no data-based lifetime.
Subnets match exactly
(I'd like to change to AES but this client can be difficult.)
When problem tunnel is down, Meraki MX logs show multiple errors. Most common errors:
1. phase1 negotiation failed due to time up.
2. Ignore the packet, received unexpecting payload type 130.
3. invalid flag 0x08 (Rarely. I suspect SRX is trying IKEv2 when IKEv1 fails.)
Juniper SRX is throwing this error as per its maintainer:
Jul 16 22:16:23 REDACTED kmd[2595]: IKE negotiation failed with error: Timed out. IKE Version: 1, VPN: VPN-MyMeraki Gateway: VPN-MyMeraki, Local: bbb.bbb.bbb.bbb/500, Remote: aaa.aaa.aaa.aaa/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0: Role: Responder
Question:
Anyone seen this before? Is there something I'm overlooking here? The tunnel re-establishes just fine for at least 2-2.5 weeks, and then it will cut out and throw errors for 4-5 hours. Meanwhile, all the other tunnels on my MX are fine.