Monitor Your IPSec VPN Tunnel
Focus
Focus
Network Security

Monitor Your IPSec VPN Tunnel

Table of Contents

Monitor Your IPSec VPN Tunnel

Where Can I Use This?What Do I Need?
  • PAN-OS
No license required

Tunnel Monitoring

For a VPN tunnel, you can check connectivity to a destination IP address across the tunnel. The network monitoring profile on the firewall allows you to verify connectivity (using ICMP) to a destination IP address or a next hop at a specified polling interval, and to specify an action on failure to access the monitored IP address.
If the destination IP address is unreachable, you either configure the firewall to wait for the tunnel to recover or configure an automatic failover to another tunnel. In either case, the firewall generates a system log that alerts you to a tunnel failure and renegotiates the IPSec keys to accelerate recovery.
To provide uninterrupted VPN service, you can use the Dead Peer Detection capability along with the tunnel monitoring capability on the firewall. A DPD (Dead Peer Detection) profile provides information about the number of seconds to wait in between probes to detect if an IPSec peer site is alive or not. The liveness check for IKEv2 is similar to DPD, which IKEv1 uses as the way to determine whether a peer is still available.
You can also monitor the status of the tunnel. These monitoring tasks are described in the following sections:

Liveness Check

If there has only been outgoing traffic on all of the SAs associated with an IKE SA, it is essential to confirm the liveness of the other endpoint to avoid black holes. IKEv2 gateways can perform liveness checks to prevent sending messages to a dead peer. Receipt of a fresh cryptographically protected message on an IKE SA or any of its child SAs ensures the liveness of the IKE SA and all of its child SAs.
IKEv2 uses a liveness check (similar to Dead Peer Detection (DPD) in IKEv1) to determine whether a peer is still available. The liveness check option is enabled by default. Select NetworkNetwork ProfilesIKE Gateways and Advanced Options to configure the interval (in seconds) in the Liveness Check for the IKE gateway. Note that you can configure the liveness check option only if you have selected IKEv2 only mode or IKEv2 preferred mode for the Version in the IKE Gateway (NetworkNetwork ProfilesIKE Gateways) configuration. If you select IKEv1 only mode for the IKE Gateway Version, then the Advanced Options would display IKEv1 configuration parameters such as, Exchange mode and Dead Peer Detection.
In IKEv2, the liveness check is achieved by any IKEv2 packet transmission or a liveness check message that the gateway sends to the peer at a configurable interval, 5 seconds by default. If there is no response, the sender attempts the retransmission up to 10 times with increasing timeout (in seconds) for each retry as follows:
5 + 10 + 20 + 40 + 60 + 60 + 60 + 60 + 60 + 60 = 7 minutes and 15 seconds
If it doesn’t get a response, the sender closes and deletes the IKE_SA and corresponding CHILD_SAs. The sender will start over by sending out another IKE_SA_INIT message.
After maximum retries are reached, the firewall will tear down phase 1 and phase 2 (child) SAs.