Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Rebuilding a VPN when remote gateway comes down

0

0

Article ID: KB6217 KB Last Updated: 05 Jul 2010Version: 3.0
Summary:
Rebuilding a VPN when remote gateway comes down
Symptoms:
VPN not working
IKE VPN tunnel was previously working
Gateway on one side of tunnel goes down either by power down or link down
Remote site gateway went down
Cannot communicate across VPN

Solution:

IKE heartbeat feature will detect when a VPN tunnel is down. It will send out a hello packet every "x" seconds. There is a heartbeat threshold where if the Netscreen doesn't receive a hello packet within the specified threshold (hello fails x amount of times), it will clear p1 and p2 SAs, and force to re-negotiate the tunnel.

From the Command Line Interface (CLI), Type

set ike heartbeat hello x
set ike heartbeat threshold y

NetScreen will send IKE heartbeats once every "x" seconds. If he does not receive a hello packet coming back from the remote NetScreen, a "heartbeat miss 1 time" message is logged to the event log. This is okay, since the heartbeat threshold is set to "y". However, when the connection on the remote NetScreen is severed, it will fail to receive the hello packet more than "y" times. This is beyond the threshold, and the NetScreen will know that there is something wrong with the VPN tunnel. The NetScreen will then clear the phase 1 and phase 2 SAs. Every time a host from the local NetScreen wants to communicate to a host behind the remote Netscreen, it will have to negotiate for phase 1 and phase 2 SAs.

If the tunnel is dropping, the heartbeat will detect this, and tear down the SAs locally, and will force to re-negotiate.

Heartbeats may be enabled on a per tunnel basis or on the entire system

Here is the problem or goal:

  • Cannot communicate across VPN
  • Rebuilding a VPN when remote site goes down

Problem Environment:

  • VPN not working
  • IKE VPN tunnel was previously working
  • Gateway on one side of tunnel goes down either by power down or link down
  • Remote site gateway went down

Applicable Products:

  • NetScreen-5
  • NetScreen-5XP
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500

Applicable ScreenOS:

  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.1.0


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search