Ipsec; Is-Is - Juniper JUNOSE SOFTWARE 10.3.2 - RELEASE NOTES 9-29-2010 Release Note

JunosE 10.3.2 Release Notes

IPSec

IS-IS

24
Known Behavior
When you shut down the only outgoing IP interface to the IP destinations of
IPSec tunnels, the tunnels remain in the up state rather than transitioning to
down. As a consequence, all IP routes that use these tunnels as next hops also
remain in the routing table. You can use dead keepalive detection (DPD) to
avoid this situation. DPD must be active, which requires both IPSec tunnel
endpoints to support DPD.
During a warm restart after a system failover, the SRP module can take several
minutes to resume the normal exchange of UDP/IP packets to applications.
During this restart time, the E Series router does not send or receive dead peer
detection (DPD) keepalives, which are used to verify connectivity between the
router and its peers. The length of the restart time depends on the number of
interfaces—if the restart time is too long, remote peers might determine that
the connection from them to the E Series router is broken and then shut down
an IPSec tunnel that has DPD enabled. In the worst case, all IPSec tunnels
might be shut down. [Defect ID 65132]
When IS-IS is configured on a static PPP interface, the IS-IS neighbor does not
come up if you remove the IP address from the interface and then add the IP
address back to the interface.
Work-around: When you remove and add back the IP address, you must also
remove the IS-IS configuration from the interface and then add the
configuration back to the interface by issuing the no router isis and router isis
commands.
When you run IS-IS on back-to-back virtual routers (VRs) in an
IS-IS-over-bridged-Ethernet configuration and do not configure different IS-IS
priority levels on each VR, a situation can occur in which both VRs elect
themselves as the designated intermediate system (DIS) for the same network
segment.
This situation occurs because the router uses the same MAC address on all
bridged Ethernet interfaces by default. When both VRs have the same (that is,
the default) IS-IS priority level, the router must use the MAC address assigned to
each interface to determine which router becomes the DIS. Because each
interface in an IS-IS-over-bridged-Ethernet configuration uses the same MAC
address, however, the router cannot properly designate the DIS for the network
segment. As a result, both VRs elect themselves as the DIS for the same
network segment, and the configuration fails. [Defect ID 72367]
Work-around: To ensure proper election of the DIS when you configure IS-IS
over bridged Ethernet for back-to-back VRs, we recommend that you use the
isis network point-to-point command in Interface Configuration mode to
configure IS-IS to operate using point-to-point (P2P) connections on a broadcast
circuit when only two routers (or, in this case, two VRs) are on the circuit.
Issuing this command tears down the current existing IS-IS adjacency in that
link and reestablishes a new adjacency.