Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to use VPN Monitoring with a non-ScreenOS device at the remote-end of a VPN tunnel.

0

0

Article ID: KB8530 KB Last Updated: 27 Dec 2018Version: 5.0
Summary:
VPN monitoring, with the default configuration, is not supported on non-ScreenOS devices. So with VPN monitoring enabled, the polling will always fail and the SA status will be shown as A/D (VPN is Active, but monitoring reports it as Down). Also, if the 'rekey' option is enabled, the SA will continually rekey at the vpnmonitor threshold timeout.
Symptoms:

Following the diagram below, points A and D are private (internal) addresses; and points B and C are public (internet/external) addresses.

+--[NS]-----------[ INTERNET ]----------[other-vpn]--+
  A    B                               C           D

VPN monitoring in ScreenOS uses ping packets between the public addresses (that is, pings sent from source address B to destination address C), but these are sent within the tunnel (that is, encrypted). The problem is these pings do not match the proxy-id of the VPN. A ScreenOS device will accept and respond to these, but a non-ScreenOS device will discard them.

Solution:

Configure 'vpnmonitor' to use a source-destination address pair that matches the proxy-id of the VPN tunnel (eg. interfaces A and D in sketch above).

When these pings are sent across the tunnel, encrypted, the packets will match the proxy-id, get decrypted and forwarded to the target address. Assuming the target is alive, reply packets will be received at the ScreenOS end, that VPN monitoring will flag the tunnel as A/U (Active Up).

Juniper firewall note:
If the Proxy-ID for the VPN does not include an address local to the Juniper firewall (ie. no matching interface to source the pings from), you can create a /32 loopback interface configured with an un-used address from the proxy-id range as the source.

Modification History:
2018-12-27: Minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search