Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuring the Source Interface and Destination IP options of VPN Monitor

0

0

Article ID: KB10119 KB Last Updated: 21 May 2015Version: 8.0
Summary:

This article provides a method to use VPN Monitor with the 'Source Interface' and 'Destination IP' options to prevent VPN Monitor reporting tunnel down causing VPN Phase 2 instability.


Symptoms:

Symptoms:
VPN is down or Phase 2 is flapping, and VPN Monitor for the SA reports 'D' (down):

user@CORPORATE> show security ipsec security-associations   
  total configured sa: 1
  ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <32786 3.3.3.3         500   ESP:3des/sha1   5c13215d 28782/unlim   D   0 
  >32786 3.3.3.3         500   ESP:3des/sha1   18f67b48 28782/unlim   D   0
Jul 9 21:07:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.3 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.3, XAUTH username: Not-Applicable, VR id: 4

Jul 9 21:08:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.3 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.3, XAUTH username: Not-Applicable, VR id: 4

Cause:

VPN Monitor works by sending ICMP echo request packets across the tunnel (in encrypted form) to the remote side gateway and monitoring for the response.

  • When VPN Monitor is enabled and a source interface is not chosen, the SRX uses the outgoing interface as the default.
  • When VPN Monitor is enabled and a destination IP address is not specified, the SRX uses the IP address for the remote VPN gateway as the destination.
Causes of VPN Monitor reporting down condition are:
  • Remote VPN connection is configured to block ICMP echo requests
  • Remote VPN connection is a third-party device that does not respond to ICMP echo requests
  • Remote VPN connectino does not allow traffic based on default Source / Destionation IP

Solution:

Configure VPN Monitor using the 'Source interface' and 'Destination ip' options so that the ICMP packets can successfully reach the destination and return.  Using these options can allow VPN Monitor to correctly recognize the status of the SA as 'U' (Up).

Definition of options

Source Interface:   Interface name to be used for source of VPN Monitor ICMP packets
Destination ip:        IP address reachable over VPN tunnel that can respond to VPN Monitor ICMP packet


Configuration

CLI:

root@srx#set security ipsec vpn vpn-name vpn-monitor destination-ip 192.168.0.10 source-interface ge-0/0/0.0 optimized

J-Web:

  1. Navigate to Configuration > IPSec VPN > Auto Tunne l > Phase II > Autokey

  2. If you have already configured a VPN and want to enable VPN monitor then click edit; otherwise, click add.

  3. Specify the VPN Monitor settings located under the IPSec VPN Options Tab:

  • Enable VPN monitor:  Check the box.
  • Destination ip:  Set to a host in the remote peer’s LAN that responds to ICMP echo requests. 

  • Optimized:  Select this check box if you want the Juniper device to accept incoming traffic through the VPN tunnel as a substitute for ICMP echo replies. If there is both incoming and outgoing traffic through the VPN tunnel, the device suppresses VPN monitoring pings.  For information on VPN monitor Optimized setting, consult KB10118 - How do you enable the optimized feature of VPN Monitor, and what does it do?

  • Source interface:  Set this to an internal interface of the SRX that is permitted to access the LAN at the remote site.


       NOTE: Remote peer’s firewall must have a policy permitting the ICMP echo requests of VPN Monitor to pass through it.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search