Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to enable the Optimized feature of VPN Monitor and what does it do

0

0

Article ID: KB9522 KB Last Updated: 29 May 2019Version: 7.0
Summary:

This article provides information on how to enable the Optimized feature of VPN Monitor and about its functionality.
 

Symptoms:
When enabling optimization, existing traffic via the VPN is used for the monitoring packet, instead of using the VPN monitor ping, which would normally be sent. How is Optimization enabled and how is it used?
Solution:

To enable the Optimized feature of VPN Monitor:

WebUI

  1. Select VPNs > AutoKey IKE.
  2. Find the AutoKey IKE for the tunnel in question and click Edit.
  3. Click the Advanced button.

    The VPN Monitor configuration is at the bottom of the page. The Optimized feature is enabled with a check box:
     
    optimize 
For information on Source Interface and Destination IP, refer to KB9503 - Configuring the Source Interface and Destination IP options of VPN Monitor  


CLI:

Type the following command:
set vpn <vpnname> monitor optimized [rekey]

 

What is the Optimized feature used for?

When you enable VPN monitoring for a specific tunnel, the security device sends ICMP echo requests (or pings) via the tunnel at specified intervals (configured in seconds) to monitor network connectivity through the tunnel.  For information on configuring the VPN monitor time and threshold, refer to KB3988 - How does VPN monitor detect the VPN is up or down?

When Optimized is selected, the VPN monitoring behavior changes as follows:

  • The Juniper firewall device accepts incoming traffic through the VPN tunnel as a substitute for ICMP echo replies.
  • If there is both incoming and outgoing traffic through the VPN tunnel, the device suppresses VPN monitoring pings.
  • If you enable VPN monitoring optimization, be aware that VPN monitoring can no longer provide accurate SNMP statistics.


Note: If you upgrade from ScreenOS 4.x to ScreenOS 5.x and find that the VPN tunnels are marked as down by the VPN monitor, it is recommended to enable the Optimized feature of VPN Monitor.

Modification History:
2019-05-28: Solution section restored.  In the prior version, the solution section was empty.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search