[vpn-help] Juniper SRX210 NAT-T problems

Matthew Grooms mgrooms at shrew.net
Tue Feb 14 20:04:23 CST 2012


On 2/4/2012 7:23 AM, Loris Modenese wrote:
>
> Hi Kevin,
>
> I can confirm what Gergely said.
> The problem it is related to the NAT-T and DPD code on both 2.1.7 and
> 2.2.0 versions.
> With NAT-T disabled or with a dial-up connection (public IP address) the
> link is stable.
> I've also notice that no matter the client it is configured (with or w/o
> DPD and different timeout)
> it keep on sending DPD every 30sec when NAT-T option is enabled for 10
> times then it always disconnect (about 5-5.5 min).
> I tested the config with 4 SRX-240H, 1 SRX-210H and 3 SRX-100 running
> JunOS 10.4 with the same results.
>

Hmm, this doesn't sound good. Is the client initiating the DPD messages 
or responding to them ( or both )? Can you send me a sample of the log 
output with the IP addresses obscured? If the client is simply ignoring 
the DPD configuration option, that shouldn't be too hard to fix.

-Matthew



More information about the vpn-help mailing list