830+ flaps so far. This causes cross DC traffic (like rsync) to fail.
That BGP session goes over an ipsec tunnel.
The following configuration has been added on both sides. It's most likely not the reason of the flap, but should be there nonetheless.
- allow IKE on lo0 (where ike terminates)
- specify host-inbound-traffic per interface (I've seen cases where the "global to the security zone" config was not applied properly)
- Set ipsec tunnel monitoring (for faster monitoring)
[edit security zones security-zone untrust interfaces lo0.0 host-inbound-traffic system-services] dns { ... } + ike; [edit security zones security-zone vpn-codfw interfaces st0.0] + host-inbound-traffic { + system-services { + ping; + traceroute; + } + protocols { + pim; + igmp; + bgp; + } + } [edit security ipsec vpn vpn-x-ipsec-vpn] + vpn-monitor { + optimized; + }
I also added extra debug logs (starting with ike) on both sides:
# show security ike traceoptions file ike-debug.log size 5m files 3; flag all;
As well as
[edit security ipsec] + traceoptions { + flag all; + }