Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Cannot communicate through VPN - Remote Side Lost Connection

0

0

Article ID: KB6046 KB Last Updated: 02 Jul 2010Version: 4.0
Summary:
Cannot communicate through VPN - Remote Side Lost Connection
Symptoms:
Environment:
  • IKE VPN tunnel was previously working
  • IKE heartbeat
  • Clear ike all usually bring tunnel back up
  • Reboot firewall will bring the VPN tunnel back up
Symptoms & Errors:
  • Cannot communicate across VPN
  • Remote firewall lost power
  • Virtual Private Network (VPN) goes down periodically
  • What is IKE heartbeat threshold used for?
Solution:
Remote site lost connection/link  can be resolved by using the IKE heartbeat feature, which will detect when a Virtual Private Network (VPN) is down.  This feature is available in ScreenOS 2.6.1 or higher. 
 
IKE heartbeat will send out hello packet every "x" seconds.  There is a heartbeat threshold where if the Netscreen doesn't receive a hello packet within the specified threshold (hello fails y amount of times), it will clear Phase 1 and Phase 2 SAs, and force to re-negotiate the tunnel.
 

The command syntax is different in ScreenOS 2.6.1 than they are in ScreenOS 3.0.x.

In ScreenOS 2.6.1, from the Command Line Interface (CLI),
Type
set ike heartbeat hello x
set ike heartbeat threshold y
In ScreenOS 3.0.0 and above, from the CLI:
set ike gateway gateway name heartbeat hello x
set ike gateway gateway name heartbeat threshold y
NetScreen will send IKE heartbeats once every x seconds.  For example, let's say the IKE heartbeat is set to 5.  If it does not receive a hello packet coming back from the remote NetScreen, a "heartbeat miss 1 time" message is logged to the event log.  This is okay, since the heartbeat threshold is set to 5.  However, when the connection on the remote NetScreen is severed, it will fail to receive the hello packet more than 5 times.  This is beyond the threshold, and the NetScreen will know that there is something wrong with the VPN tunnel.  The NetScreen will then clear the phase 1 and phase 2 SAs.  Every time a host from the local NetScreen wants to communicate to a host behind the remote Netscreen, it will have to negotiate for phase 1 and phase 2 SAs.
 
If the tunnel is dropping, the heartbeat will detect this, and tear down the SAs locally, and will force to re-negotiate. 

Additional Information:
IKE heartbeat feature requires ScreenOS that supports this on both sides of the VPN.  This can also work with Springtide VPNs.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search