NOTE: I originally published this page in 2018; instructions may now be out of date.
If you will be using IPSEC on a Juniper vMX router you will need to enable the adaptive services interface. This is not enabled by default. Once enabled the adaptive services interface will be present on FPC 0 as
- Log into the vMX routing engine and enter configuration mode.
- Enable the inline services interface:
set chassis fpc 0 pic 0 inline-services bandwidth 10g
- Commit the configuration.
From the Juniper docs the bandwidth setting is not used for si traffic:
IPsec VPN and Group VPN support—vMX supports inline site-to-site IPsec VPNs and Group VPNs. The inline service interface (si) is used as the service interface for the service set. You enable inline service interfaces by configuring the inline-services bandwidth (1g | 10g) option at the [edit chassis fpc 0 pic 0] hierarchy level. The bandwidth value is not used for si traffic, so you can choose either value. Only one si interface is configurable for each vMX.
If you are also using GRE tunnels on the vMX device, see this page to enable the Tunnel Services for the vFP.
There are a couple of potential issues I have ran into when deploying this configuration on vMX routers.
Traffic not working
On some hosts I have experienced issues after rebooting the vMX with the adaptive services interface where traffic does not work. After I configured IPSEC on the vMX the IPSEC and IKE security associations came up as expected but I could not ping over the tunnels at all. Changing the inline-servers bandwidth setting and then committing it seems to work around the issue:
set chassis fpc 0 pic 0 inline-services bandwidth 1g commit set chassis fpc 0 pic 0 inline-services bandwidth 10g commit
si interface not available on FPC
When configuring the adaptive services interface you must have the
loopback-device-count option set for the chassis. To do this use:
set chassis fpc 0 loopback-device-count 1