This article provides a method to use VPN Monitor with the "Source interface" and "Destination ip" options, which will prevent VPN Monitor from reporting tunnel down status that may cause VPN Phase 2 instability.

 

 

VPN is down or Phase 2 is flapping, and VPN Monitor for the SA reports "D" (down):

user@CORPORATE> show security ipsec security-associations   
  total configured sa: 1
  ID     Gateway         Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  <32786 3.3.3.3         500   ESP:3des/sha1   5c13215d 28782/unlim   D   0 
  >32786 3.3.3.3         500   ESP:3des/sha1   18f67b48 28782/unlim   D   0

Jul 9 21:07:58 kmd[1496]: KMD_VPN_DOWN_ALARM_USER: VPN to_hub from 3.3.3.3 is down. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.3, XAUTH username: Not-Applicable, VR id: 4

Jul 9 21:08:10 kmd[1496]: KMD_VPN_UP_ALARM_USER: VPN to_hub from 3.3.3.3 is up. Local-ip: 4.4.4.4, gateway name: to_hub, vpn name: to_hub, tunnel-id: 131073, local tunnel-if: st0.0, remote tunnel-ip: 70.70.70.1, Local IKE-ID: 4.4.4.4, Remote IKE-ID: 3.3.3.3, XAUTH username: Not-Applicable, VR id: 4

 

 

VPN Monitor works by sending ICMP echo request packets across the tunnel (in encrypted form) to the remote side gateway and monitoring for a response.

• When VPN Monitor is enabled and a source interface is not chosen, the SRX device uses the outgoing interface as the default.

• When VPN Monitor is enabled and a destination IP address is not specified, the SRX device uses the IP address of the remote VPN gateway as the destination.

Causes for VPN Monitor reporting a down condition include:

• The remote VPN connection is configured to block ICMP echo requests.

• The remote VPN connection is a third-party device that does not respond to ICMP echo requests.

• The remote VPN connection does not allow traffic based on the default Source / Destination IP address.

 

 

Configure VPN Monitor by using the "Source interface" and "Destination ip" options so that the ICMP packets can successfully reach the destination and return. Using these options will allow VPN Monitor to correctly recognize the status of SA as "U" (Up).

Definition of Options

• Source interface: Interface name to be used for the source of the VPN Monitor ICMP packets

• Destination ip: IP address that is reachable over the VPN tunnel that can respond to VPN Monitor ICMP packets

Configuration

CLI

root@srx#set security ipsec vpn vpn-name vpn-monitor destination-ip 192.168.0.10 source-interface ge-0/0/0.0 

J-Web

1. Navigate to Configure > Security Services > IPsec (Phase II).

2. Double-click the VPN that is already configured. 

3. Specify the VPN Monitor settings located on the IPSec VPN Options tab.

• Enable VPN monitor: Select the check box.

• Destination ip: Set this to a host in the remote peer’s LAN that responds to ICMP echo requests. 

• Optimized: Select this check box if you want the Juniper device to accept incoming traffic through the VPN tunnel as a substitute for ICMP echo replies. If there is both incoming and outgoing traffic through the VPN tunnel, the device suppresses VPN monitoring pings. For information about VPN Monitor Optimized setting, consult KB10118 - [SRX] How to enable the "optimized" feature of VPN Monitor.

• Source interface: Set this to an internal interface of the SRX device that is permitted to access the LAN at the remote site.

Note: The remote peer’s firewall must have a policy permitting the ICMP echo requests of VPN Monitor to pass through it.

 

 

• 2020-12-31: Modified J-Web image and instructions to reflect current UI

• 2020-06-29: Removed J-Series reference

• 2020-06-12: Article reviewed for accuracy; minor correction made in the command to enable vpn-monitor; article valid and relevant