Established sessions need to re-establish when the VPN Redundant Gateway fail-over occurs
Redundant VPN Gateway
With redundant VPN' gateway feature, why do established sessions need to' re-establish' when the' fail-over occurs?
Sessions get disconnected or dropped when failover occurs (redundant VPN gateway).
This solution applies to ScreenOS 4.0.0 and higher:
The 'redundant VPN gateway' feature is not capable of the same functionality as NSRP. Using 'Redundant VPN Gateway' feature, in order to enable a more seamless VPN failover to occur the handling of TCP session must be addressed. If after a failover, the new active gateway receives a packet in an existing TCP session, the new gateway treats it as the first packet in a new TCP session and checks if the SYN flag is set in the packet header. Because this packet is really part of an existing session, it does not have the SYN flag set. Consequently, the new gateway rejects the packet. With TCP SYN flag checking enabled, all TCP applications have to reconnect after the failover occurs.
To ensure VPN sessions do not get interrupted after a VPN failover occurs:
From the CLI:
unset flow tcp-syn-check-in-tunnel
Note: by default, SYN-flag checking is enabled.
(via CLI only): unset flow tcp-syn-check-in-tunnel
Note: by default, SYN-flag checking is enabled.
Here is the problem or goal:
- With redundant VPN gateway feature, why do established sessions need to re-establish when the fail-over occurs?
- Sessions get disconnected or dropped when failover occurs (redundant VPN gateway).
Problem Environment:
Applicable Products:
- NetScreen-5XP
- NetScreen-5XT
- NetScreen-10
- NetScreen-25
- NetScreen-50
- NetScreen-100
- NetScreen-204
- NetScreen-208
- NetScreen- 500
- NetScreen-1000
- NetScreen-5200
Applicable ScreenOS:
- 3.0.0
- 3.0.1
- 3.0.2
- 3.0.3
- 4.0.0
- 4.0.0-DIAL
- 4.0.1
- 4.0.2