Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Established sessions need to re-establish when the VPN Redundant Gateway fail-over occurs

0

0

Article ID: KB6372 KB Last Updated: 22 Jul 2010Version: 3.0
Summary:
Established sessions need to re-establish when the VPN Redundant Gateway fail-over occurs
Symptoms:
Redundant VPN Gateway

With redundant VPN' gateway feature, why do established sessions need to' re-establish' when the' fail-over occurs?

Sessions get disconnected or dropped when failover occurs (redundant VPN gateway).
Solution:

This solution applies to ScreenOS 4.0.0 and higher:

The 'redundant VPN gateway' feature is not capable of the same functionality as NSRP. Using 'Redundant VPN Gateway' feature, in order to enable a more seamless VPN failover to occur the handling of TCP session must be addressed. If after a failover, the new active gateway receives a packet in an existing TCP session, the new gateway treats it as the first packet in a new TCP session and checks if the SYN flag is set in the packet header. Because this packet is really part of an existing session, it does not have the SYN flag set. Consequently, the new gateway rejects the packet. With TCP SYN flag checking enabled, all TCP applications have to reconnect after the failover occurs.

To ensure VPN sessions do not get interrupted after a VPN failover occurs:

From the CLI:

unset flow tcp-syn-check-in-tunnel

Note: by default, SYN-flag checking is enabled.

(via CLI only): unset flow tcp-syn-check-in-tunnel

Note: by default, SYN-flag checking is enabled.

Here is the problem or goal:

  • With redundant VPN gateway feature, why do established sessions need to re-establish when the fail-over occurs?
  • Sessions get disconnected or dropped when failover occurs (redundant VPN gateway).

Problem Environment:

  • Redundant VPN Gateway

Applicable Products:

  • NetScreen-5XP
  • NetScreen-5XT
  • NetScreen-10
  • NetScreen-25
  • NetScreen-50
  • NetScreen-100
  • NetScreen-204
  • NetScreen-208
  • NetScreen- 500
  • NetScreen-1000
  • NetScreen-5200

Applicable ScreenOS:

  • 3.0.0
  • 3.0.1
  • 3.0.2
  • 3.0.3
  • 4.0.0
  • 4.0.0-DIAL
  • 4.0.1
  • 4.0.2


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search