Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What is the state of a tunnel Interface when the associated VPN tunnel went down?

0

0

Article ID: KB6221 KB Last Updated: 20 Dec 2017Version: 5.0
Summary:
What is the state of a tunnel Interface when the associated VPN tunnel went down?
Symptoms:
Route-based VPN tunnel interfaces are commonly used as part of either static routing setup or OSPF/BGP dynamic routing purpose. Without proper configuration, the state of tunnel interfaces might change to READY state instead of DOWN state thus incur VPN network routing problems.
Solution:

There are three possible configurations:

1) IKE/IPSEC route-based VPN is configured with neither VPN Monitor nor the Rekey option:

When the associated VPN tunnel goes down, the tunnel interface will be in READY state, as there is no mechanism to identify the correct state.

2) IKE/IPSEC route-based VPN is configured with only VPN Monitor:

During the initial boot up process, the system will put the tunnel interface in the READY state. This READY state indicates that the tunnel interface is ready to pass traffic through but needs someone to trigger the VPN so that the SA's can be brought up. Once the SA becomes up, then the tunnel interface state will change to the UP state. The tunnel interface state will revert back to READY state if the associated VPN tunnel goes down.

3) IKE/IPSEC route-based VPN is configured with VPN Monitor and Rekey option:

This configuration will not wait for actual traffic to trigger the VPN and will always keep the SA's UP.  This brings the tunnel interface from READY to UP state. This option will only have either UP or DOWN state.

Option #3 is the preferred choice, i.e., the tunnel interfaces will change state to DOWN when the associated VPN tunnels are down.  Configuring VPN Monitor and rekey also has the following benefit:

With VPN Monitor and rekey configured on the VPN, if the VPN goes down, then the tunnel interface associated with that route will change to the Down state, and hence the route associated with that tunnel interface will be inactive.

Modification History:
‚Äč2017-12-07: Article reviewed for accuracy. Added ScreenOS tag in the title. Minor grammatical changes done . Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search