Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2758
Views
0
Helpful
2
Replies

Session is being torn down. Reason: Peer address changed

Geoff Sweet
Level 1
Level 1

‎09-10-2014 11:46 AM

Greetings all. I'm a bit stumped on an issue that I am having.  I have a Juniper SRX240 at a remote site with dual ISP connections.  These connections are only active one at a time (the backup is a cellular provider that we keep offline until our primary connection fails).  The datacenter has an ASA that has only a single static IP on the outside interface.  I've managed to get to a point where I can stand up the IPSEC tunnel from the SRX from both ISP's when each is active. That required me to create a crypto map entry with both peers in it:

crypto map outside_map 13 match address outside_cryptomap_1
crypto map outside_map 13 set peer 166.148.109.123 50.245.141.219
crypto map outside_map 13 set transform-set ESP-AES-256-SHA

 

I then created two tunnel-group entries. One for each IP on the SRX.  So far so good. I can see Phase 1 and 2 complete in the logs on the ASA:

Group = 166.148.109.123, IP = 166.148.109.123, PHASE 1 COMPLETED
Group = 166.148.109.123, IP = 166.148.109.123, PHASE 2 COMPLETED (msgid=017b858a)

But then a few moments later, I lose it:


Group = 166.148.109.123, Username = 166.148.109.123, IP = 166.148.109.123, Session disconnected. Session Type: IPsec, Duration: 0h:01m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Address Changed
Group = 166.148.109.123, IP = 166.148.109.123, Session is being torn down. Reason: Peer Address Changed

 

I'm, really stumped. I'm sorta struggling with this ASA config because it isn't my strong suite (Juniper guy here).  So maybe there is a better way to do this? I can't find a lot online about the Peer Address Changed error.  I get what the words mean... but it rebuilds a new tunnel, why wouldn't it track the change in IP and the new tunnel?

 

2 people had this problem
Labels:
0 Helpful
2 Replies 2

Raja Periyasamy
Level 1
Level 1

‎09-10-2014 08:41 PM

The SRX will initiate the tunnel irrespective of the traffic being present or not by default.

ASA initiates the tunnel only when there is interesting traffic.

No, ASA does not track the peer IP. 

The way you have configured, if ASA initiates the tunnel it will try to form it with 166.148.109.123 first and if it fails then it will try with 50.245.141.219 after a couple of attempts.

The debugs from the SRX side could provide more help. 

Also do "show crypto isa sa" on the ASA to see if the ASA is an initiator or responder.

What version of code is running on ASA?

0 Helpful

Silviu Lavric
Level 1
Level 1

‎08-06-2015 03:32 AM

same problem. any solutions?

0 Helpful
Customers Also Viewed These Support Documents