For a VPN tunnel, you can check connectivity to a destination IP address across the
tunnel. The network monitoring profile on the firewall allows you to verify
connectivity (using ICMP) to a destination IP address or a next hop at a specified
polling interval, and to specify an action on failure to access the monitored IP
address.
If the destination IP address is unreachable, you either configure the firewall to
wait for the tunnel to recover or configure an automatic failover to another tunnel.
In either case, the firewall generates a system log that alerts you to a tunnel
failure and renegotiates the IPSec keys to accelerate recovery.
To provide uninterrupted VPN service, you can use the Dead Peer Detection capability
along with the tunnel monitoring capability on the firewall. A DPD (Dead Peer
Detection) profile provides information about the number of seconds to wait in
between probes to detect if an IPSec peer site is alive or not. The liveness check
for IKEv2 is similar to DPD, which IKEv1 uses as the way to determine whether a peer
is still available.
You can also monitor the status of the tunnel. These monitoring tasks are described
in the following sections:
If there has only been outgoing traffic on all of the SAs associated with an IKE SA,
it is essential to confirm the liveness of the other endpoint to avoid black holes.
IKEv2 gateways can perform liveness checks to prevent sending messages to a dead
peer. Receipt of a fresh cryptographically protected message on an IKE SA or any of
its child SAs ensures the liveness of the IKE SA and all of its child SAs.
IKEv2 uses a liveness check (similar to Dead Peer Detection (DPD) in IKEv1)
to determine whether a peer is still available. The liveness check option is enabled
by default. Select NetworkNetwork ProfilesIKE Gateways and Advanced Options to configure the interval (in seconds) in
the Liveness Check for the IKE gateway. Note that you can configure the
liveness check option only if you have selected IKEv2 only mode or IKEv2
preferred mode for the Version in the IKE
Gateway (NetworkNetwork ProfilesIKE Gateways) configuration. If you select IKEv1 only mode
for the IKE Gateway Version, then the Advanced
Options would display IKEv1 configuration parameters such as,
Exchange mode and Dead Peer
Detection.
In IKEv2, the liveness check is achieved by any IKEv2 packet transmission or a
liveness check message that the gateway sends to the peer at a configurable
interval, 5 seconds by default. If there is no response, the sender attempts the
retransmission up to 10 times with increasing timeout (in seconds) for each retry as
follows:
If it doesn’t get a response, the sender closes and deletes the IKE_SA and
corresponding CHILD_SAs. The sender will start over by sending out another
IKE_SA_INIT message.
After maximum retries are reached, the firewall will tear down phase 1 and phase 2
(child) SAs.
