Knowledge Search


×
 

[ScreenOS] How to use VPN Monitoring with a non-ScreenOS device at the remote-end of a VPN tunnel.

  [KB8530] Show Article Properties


Summary:
VPN monitoring, with the default configuration, is not supported on non-ScreenOS devices. So with VPN monitoring enabled, the polling will always fail and the SA status will be shown as A/D (VPN is Active, but monitoring reports it as Down). Also, if the 'rekey' option is enabled, the SA will continually rekey at the vpnmonitor threshold timeout.
Symptoms:

Following the diagram below, points A and D are private (internal) addresses; and points B and C are public (internet/external) addresses.

+--[NS]-----------[ INTERNET ]----------[other-vpn]--+
  A    B                               C           D

VPN monitoring in ScreenOS uses ping packets between the public addresses (that is, pings sent from source address B to destination address C), but these are sent within the tunnel (that is, encrypted). The problem is these pings do not match the proxy-id of the VPN. A ScreenOS device will accept and respond to these, but a non-ScreenOS device will discard them.

Solution:

Configure 'vpnmonitor' to use a source-destination address pair that matches the proxy-id of the VPN tunnel (eg. interfaces A and D in sketch above).

When these pings are sent across the tunnel, encrypted, the packets will match the proxy-id, get decrypted and forwarded to the target address. Assuming the target is alive, reply packets will be received at the ScreenOS end, that VPN monitoring will flag the tunnel as A/U (Active Up).

Juniper firewall note:
If the Proxy-ID for the VPN does not include an address local to the Juniper firewall (ie. no matching interface to source the pings from), you can create a /32 loopback interface configured with an un-used address from the proxy-id range as the source.

Modification History:
2018-12-27: Minor non-technical edits.
Related Links: