Anyone can help me to explain this alert please? [00001] 2007-11-09 12:52:23 [Root]system-alert-00026: IPSec tunnel on interface ethernet3/2 with tunnel ID 0x30 received a packet with a bad SPI. 139.130.*.*->202.122.*.*/128, ESP, SPI 0x4a6471e9, SEQ 0x1. What does it mean by bad SPI? It seems like the VPN tunnel is working fine even this alert appears
Thread: One Question with the port status of Juniper Firew... - J-Net Community  |
|||||||||||||
|
Started 1 month, 2 weeks ago by blueseabin
Hi, there; There is one question with the port status of Juniper NetScreen Firewall. The firewall has one ethernet port (10M/100M) connected with the CISCO Switch. in the Switch side the interface shows: GigabitEthernet1/0/2 is up, line protocol is up (connected) However, in the Firewall parts: the Box is powered off. Could the Physical and Line protocol still be detected as up ? ...
|
|
||||||||||||
|
|||||||||||||
Other posts in this thread:
pacmagsjfw replied 2 years, 1 month ago
Size: 356 bytes
Customize: 
rkim replied 2 years, 1 month ago
Are you seeing these messages about once every hour on the hour? If so then this could mean that both peers attempted to rekey at the same time due to phase 2 lifetime default of 1 hour. During this time there could be a very brief moment where both peers may be sending different SPI values. Once phase 2 rekey completes then the messages go away. One way to prevent this is to adjust IKE soft...
Size: 610 bytes
Customize:
pacmagsjfw replied 2 years, 1 month ago
Thanks, it's acceptable if the two side are negotiating. But the time it happened is unpredictable Date / Time Level Description 2007-11-11 03:15:57 alert IPSec tunnel on interface ethernet3/2 with tunnel ID 0x1a received a packet with a bad SPI. 139.130.*.*->202.122.*.*/136, ESP, SPI 0xc57971e9, SEQ 0x1. 2007-11-09 12:52:23 alert IPSec tunnel on interface ethernet3/2 with tunnel ID 0x30 ...
Size: 1,151 bytes
Customize:
rkim replied 2 years, 1 month ago
Is the other side a NetScreen/SSG device? If so is either side using VPN monitoring? If one side is then try enabling VPN monitoring with rekey on both sides and see if you still see the same problem. Otherwise you may need to capture via sniffer and/or snoop along with debug ike detail the failing error condition. If you still see issues or are unable to enable VPN monitoring then I'd recommend...
Size: 455 bytes
Customize:
ModelCitizen replied 1 year, 10 months ago
We too receive Bad SPI messages, i.e. 2008-02-01 14:12:42 Local0.Alert 192.168.168.3 ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00026: IPSec tunnel on int untrust with tunnel ID 0x3 received a packet with a bad SPI. 88.97.***.***->81.3.**.**/**, ESP, SPI 0xe7af, SEQ 0x1 (2008-02-01 14:25:28)000> (Note: IP address replaced with *'s for security reasons). We only one have bad SPI entry ...
Size: 1,075 bytes
Customize:
ppaiva replied 1 year, 10 months ago
Anyone have any experience setting up Xbox Live access on the SSG 5? I have all the ports open as suggested by Microsoft but sometimes it takes forever for the Xbox live connections to occur (connecting with other players, etc.)
Size: 230 bytes
Customize:
PentinProcessor replied 1 year, 9 months ago
The Juniper firewalls do not have an Application Layer Gateway (ALG) for xbox. Are these the ports you opened up? http://support.microsoft.com/kb/911728 If so, the next time you encounter the slow connection, try clearing the sessions related to the xbox using the 'clear session' command. If you enter clear session ?, you can see the different options to clear by. It may be easier to do it by ...
Size: 602 bytes
Customize:
dcruz replied 1 year, 9 months ago
Have you enabled Multi-port VIP? What is the result for NAT when you run a connection test on the XBox? I had to enable multi-port VIP and forward the necessary ports listed in the KB to get an "Open" result.
Size: 212 bytes
Customize:
JoeKim13 replied 1 year, 9 months ago
ScreenoS 5.4 and 6.0 All i had to do was allow an outbound any from the xbox and it works great no vip or inbound rules. In addtion i had to tweak the source ip based session limit, udp flood protection a bit. http://support.microsoft.com/kb/908874 Try doing a debug or if it still doesn't work
Size: 432 bytes
Customize:
dcruz replied 1 year, 9 months ago
So when you do a connection test within Live!, what does your NAT status come up as? I found that I couldn't get it to be open unless I forwarded the ports over. What did you tweak exactly? I'm always getting alerts after I play
Size: 412 bytes
Customize:
|
Top contributing authorsRelated threads on "Forums - J-Net Community":Related threads on other sites: |
||||||||||||
Thread profile page for "One Question with the port status of Juniper Firew... - J-Net Community" on http://www.juniper.net.
This report page is a snippet summary view from a single thread "One Question with the port status of Juniper Firew... - J-Net Community", located on the Message Board at http://www.juniper.net.
This thread profile page shows the thread statistics for: Total Authors, Total Thread Posts, and Thread Activity
Home |
About Us |
Submit Your Site |
Update Your Site |
Get Search For Your Site |
Partners |
Contact |
Search Plugin |
Blog |
 |
Last Searches | Top Searches |
Designated brands and trademarks are property of their respective owners.
Use of this website constitutes acceptance of BoardReader's User Agreement and Privacy Policy.