Knowledge Search


[ScreenOS] How to use VPN Monitoring with a non-ScreenOS device at the remote-end of a VPN tunnel.

  [KB8530] Show Article Properties

VPN monitoring, with the default configuration, is not supported on non-ScreenOS devices. So with VPN monitoring enabled, the polling will always fail and the SA status will be shown as A/D (VPN is Active, but monitoring reports it as Down). Also, if the 'rekey' option is enabled, the SA will continually rekey at the vpnmonitor threshold timeout.

Following the diagram below, points A and D are private (internal) addresses; and points B and C are public (internet/external) addresses.

+--[NS]-----------[ INTERNET ]----------[other-vpn]--+
  A    B                               C           D

VPN monitoring in ScreenOS uses ping packets between the public addresses (that is, pings sent from source address B to destination address C), but these are sent within the tunnel (that is, encrypted). The problem is these pings do not match the proxy-id of the VPN. A ScreenOS device will accept and respond to these, but a non-ScreenOS device will discard them.


Configure 'vpnmonitor' to use a source-destination address pair that matches the proxy-id of the VPN tunnel (eg. interfaces A and D in sketch above).

When these pings are sent across the tunnel, encrypted, the packets will match the proxy-id, get decrypted and forwarded to the target address. Assuming the target is alive, reply packets will be received at the ScreenOS end, that VPN monitoring will flag the tunnel as A/U (Active Up).

Juniper firewall note:
If the Proxy-ID for the VPN does not include an address local to the Juniper firewall (ie. no matching interface to source the pings from), you can create a /32 loopback interface configured with an un-used address from the proxy-id range as the source.

Modification History:
2018-12-27: Minor non-technical edits.
Related Links: