Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure the Source Interface and Destination IP options of VPN Monitor

0

0

Article ID: KB9503 KB Last Updated: 27 Dec 2017Version: 6.0
Summary:
The VPN is in the Active/Down state when the VPN Monitor is down. Some possible reasons for the VPN Monitor down condition are:
  • Remote VPN connection is configured to block ICMP echo requests
  • Remote VPN connection is a third-party product that does not respond to ICMP echo requests

When configuring the VPN Monitor, consider:
  • When VPN Monitor is enabled and a source interface is not chosen, the Firewall device uses the outgoing interface as the default.
  • When VPN Monitor is enabled and a destination IP address is not specified, the Firewall device uses the IP address for the remote gateway.

Use the steps described below to configure the source interface and destination IP options for the VPN Monitor.
Symptoms:
  • VPN Monitor is Down.
  • VPN status shows Active/Down
Solution:

Configure VPN Monitor to use the Source interface and Destination IP options. 

To configure these options in the WebUI

  1. Select VPNs > Autokey IKE.
  2. Edit the appropriate VPN, and click on the Advanced button at the bottom of the screen.  
    This will take you to the Advanced settings screen. The VPN Monitor settings are at the bottom of the page. 

    optimize
  3. Set the Destination IP to an internal host in the remote peer’s LAN that responds to ICMP echo requests. Also, the remote peer’s firewall must have a policy permitting the ICMP echo requests of VPN Monitor to pass through it. 
    For more information, refer to the Source Interface and Destination Address and Policy Consideration sections of the following manual:
    Concepts & Examples ScreenOS Reference Guide​ Version 6.3.0
  4. Source Interface: Select the interface to be used as the source interface for VPN monitor packets. For VPN monitoring through NetScreen Remote, the source interface for VPN monitor packets must be bound to the Trust zone of the network being monitored.
  5. Optimized: Select this check box if you want the Juniper Firewall device to accept incoming traffic through the VPN tunnel as a substitute for ICMP echo replies. If there is both incoming and outgoing traffic through the VPN tunnel, the device suppresses VPN monitoring pings.


To configure the above options in the CLI

  • Enter the command:
    set vpn <vpn_name> monitor source-interface <interface> destination-ip <ip_addr> optimized [rekey]

 

Modification History:
2017-12-23: Article reviewed for accuracy. Older hyperlinks replaced by 6.3.0 CNE. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search