Monitor Your IPSec VPN Tunnel
Updated on
Apr 4, 2024
Focus
Download PDF
Updated on
Apr 4, 2024
Focus
- Home
- Network Security
- Monitor Your IPSec VPN Tunnel
Download PDF
Network Security
Table of Contents
Where Can I Use This? | What Do I Need? |
|---|---|
| No license required |
Tunnel Monitoring
For a VPN tunnel, you can check connectivity to a destination IP address across the tunnel. The network monitoring profile on the firewall allows you to verify connectivity (using ICMP) to a destination IP address or a next hop at a specified polling interval, and to specify an action on failure to access the monitored IP address.
If the destination IP address is unreachable, you either configure the firewall to wait for the tunnel to recover or configure an automatic failover to another tunnel. In either case, the firewall generates a system log that alerts you to a tunnel failure and renegotiates the IPSec keys to accelerate recovery.
To provide uninterrupted VPN service, you can use the Dead Peer Detection capability along with the tunnel monitoring capability on the firewall. A DPD (Dead Peer Detection) profile provides information about the number of seconds to wait in between probes to detect if an IPSec peer site is alive or not. The liveness check for IKEv2 is similar to DPD, which IKEv1 uses as the way to determine whether a peer is still available.
You can also monitor the status of the tunnel. These monitoring tasks are described in the following sections:
Define a Tunnel Monitoring Profile
View the Tunnel Status
For troubleshooting purposes, you can Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel.
Liveness Check
If there has only been outgoing traffic on all of the SAs associated with an IKE SA, it is essential to confirm the liveness of the other endpoint to avoid black holes. IKEv2 gateways can perform liveness checks to prevent sending messages to a dead peer. Receipt of a fresh cryptographically protected message on an IKE SA or any of its child SAs ensures the liveness of the IKE SA and all of its child SAs.
IKEv2 uses a liveness check (similar to Dead Peer Detection (DPD) in IKEv1) to determine whether a peer is still available. The liveness check option is enabled by default. Select Network Network Profiles IKE Gateways
Advanced Options
to configure the interval (in seconds) in theLiveness Check
for the IKE gateway. Note that you can configure the liveness check option only if you have selectedIKEv2 only mode
IKEv2 preferred mode
for theVersion
in theIKE Gateway
(Network Network Profiles IKE Gateways
IKEv1 only mode
for the IKE GatewayVersion
, then theAdvanced Options
would display IKEv1 configuration parameters such as,Exchange mode
andDead Peer Detection
.In IKEv2, the liveness check is achieved by any IKEv2 packet transmission or a liveness check message that the gateway sends to the peer at a configurable interval, 5 seconds by default. If there is no response, the sender attempts the retransmission up to 10 times with increasing timeout (in seconds) for each retry as follows:
5 + 10 + 20 + 40 + 60 + 60 + 60 + 60 + 60 + 60 = 7 minutes and 15 seconds
If it doesn’t get a response, the sender closes and deletes the IKE_SA and corresponding CHILD_SAs. The sender will start over by sending out another IKE_SA_INIT message.
After maximum retries are reached, the firewall will tear down phase 1 and phase 2 (child) SAs.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
