Knowledge Search


×
 

Rebuilding a VPN when remote gateway comes down

  [KB6217] Show Article Properties


Summary:
Rebuilding a VPN when remote gateway comes down
Symptoms:
VPN not working
IKE VPN tunnel was previously working
Gateway on one side of tunnel goes down either by power down or link down
Remote site gateway went down
Cannot communicate across VPN

Solution:

IKE heartbeat feature will detect when a VPN tunnel is down. It will send out a hello packet every "x" seconds. There is a heartbeat threshold where if the Netscreen doesn't receive a hello packet within the specified threshold (hello fails x amount of times), it will clear p1 and p2 SAs, and force to re-negotiate the tunnel.

From the Command Line Interface (CLI), Type

set ike heartbeat hello x
set ike heartbeat threshold y

NetScreen will send IKE heartbeats once every "x" seconds. If he does not receive a hello packet coming back from the remote NetScreen, a "heartbeat miss 1 time" message is logged to the event log. This is okay, since the heartbeat threshold is set to "y". However, when the connection on the remote NetScreen is severed, it will fail to receive the hello packet more than "y" times. This is beyond the threshold, and the NetScreen will know that there is something wrong with the VPN tunnel. The NetScreen will then clear the phase 1 and phase 2 SAs. Every time a host from the local NetScreen wants to communicate to a host behind the remote Netscreen, it will have to negotiate for phase 1 and phase 2 SAs.

If the tunnel is dropping, the heartbeat will detect this, and tear down the SAs locally, and will force to re-negotiate.

Heartbeats may be enabled on a per tunnel basis or on the entire system

Here is the problem or goal:

  • Cannot communicate across VPN
  • Rebuilding a VPN when remote site goes down

Problem Environment:

  • VPN not working
  • IKE VPN tunnel was previously working
  • Gateway on one side of tunnel goes down either by power down or link down
  • Remote site gateway went down

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500

Applicable ScreenOS:

  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.1.0


Related Links: