Showing results for 
Search instead for 
Did you mean: 
Geoff Sweet

Session is being torn down. Reason: Peer address changed

Greetings all. I'm a bit stumped on an issue that I am having.  I have a Juniper SRX240 at a remote site with dual ISP connections.  These connections are only active one at a time (the backup is a cellular provider that we keep offline until our primary connection fails).  The datacenter has an ASA that has only a single static IP on the outside interface.  I've managed to get to a point where I can stand up the IPSEC tunnel from the SRX from both ISP's when each is active. That required me to create a crypto map entry with both peers in it:

crypto map outside_map 13 match address outside_cryptomap_1
crypto map outside_map 13 set peer
crypto map outside_map 13 set transform-set ESP-AES-256-SHA


I then created two tunnel-group entries. One for each IP on the SRX.  So far so good. I can see Phase 1 and 2 complete in the logs on the ASA:

Group =, IP =, PHASE 2 COMPLETED (msgid=017b858a)

But then a few moments later, I lose it:

Group =, Username =, IP =, Session disconnected. Session Type: IPsec, Duration: 0h:01m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Peer Address Changed
Group =, IP =, Session is being torn down. Reason: Peer Address Changed


I'm, really stumped. I'm sorta struggling with this ASA config because it isn't my strong suite (Juniper guy here).  So maybe there is a better way to do this? I can't find a lot online about the Peer Address Changed error.  I get what the words mean... but it rebuilds a new tunnel, why wouldn't it track the change in IP and the new tunnel?


Raja Periyasamy

The SRX will initiate the tunnel irrespective of the traffic being present or not by default.

ASA initiates the tunnel only when there is interesting traffic.

No, ASA does not track the peer IP. 

The way you have configured, if ASA initiates the tunnel it will try to form it with first and if it fails then it will try with after a couple of attempts.

The debugs from the SRX side could provide more help. 

Also do "show crypto isa sa" on the ASA to see if the ASA is an initiator or responder.

What version of code is running on ASA?

Silviu Lavric

same problem. any solutions?