Text Size:        

• Ask the KB
• Find answers in our KB
  
  Example: "Configure BGP"
  
• KB Article Feedback
• This article was easy to understand:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  This article was complete and accurate:

  Strongly Agree
  Agree
  Neutral
  Disagree
  Strongly Disagree
  

  How best can we improve this article?:

  
  

  What is your overall rating on this article?:

  Excellent
  Good
  Neutral
  Poor
  Very Poor
  

Configuring the Source Interface and Destination IP options of VPN Monitor (KB ID: KB9503)

Back to Previous Page | Knowledge Base Home

Article URL

http://kb.juniper.net/KB9503

Synopsis

VPN Monitor is Down.  Remote VPN device may have ICMP echo requests blocked or a third-party product does not respond to ICMP echo requests.

Problem

VPN is in the Active/Down state because the VPN Monitor is down. Some possible reasons for the VPN Monitor down condition are:

• Remote VPN connection is configured to block ICMP echo requests


• Remote VPN connection is a third-party product that does not respond to ICMP echo requests

When VPN Monitor is enabled and a source interface is not chosen, the Firewall device uses the outgoing interface as the default.

When VPN Monitor is enabled and a destination IP address is not specified, the Firewall device uses the IP address for the remote gateway.

Solution

Configure VPN Monitor to use the Source interface and Destination IP options. 

To configure these options in the WebUI

• Select VPNs > Autokey IKE.


• Edit the appropriate VPN, and click on the Advanced button at the bottom of the screen.  
  This will take you to the Advanced settings screen. The VPN Monitor settings are at the bottom of the page. 
  
  


• Set the Destination IP to an internal host in the remote peer’s LAN that responds to ICMP echo requests. Also, the remote peer’s firewall must have a policy permitting the ICMP echo requests of VPN Monitor to pass through it. 
  
  For more information, refer to the Source Interface and Destination Address and Policy Consideration sections of the following manual:  http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf


• Source Interface: Select the interface to be used as the source interface for VPN monitor packets. For VPN monitoring through NetScreen Remote, the source interface for VPN monitor packets must be bound to the Trust zone of the network being monitored.


• Optimized: Select this check box if you want the Juniper Firewall device to accept incoming traffic through the VPN tunnel as a substitute for ICMP echo replies. If there is both incoming and outgoing traffic through the VPN tunnel, the device suppresses VPN monitoring pings.

To configure the above options in the CLI

• Enter the command:
  

  set vpn <vpn_name> monitor source-interface <interface> destination-ip <ip_addr> optimized [rekey]

 

Category Description

By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems » ScreenOS Software

Purpose

Troubleshooting

Related Articles

Related Links

• KB9488 - How to troubleshoot a VPN tunnel that is going up and down

Related Files