Prisma SD-WAN Administrator’s Guide
    : VPN Keep-Alives
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Prisma SD-WAN Ports and Interfaces
    7. VPN Keep-Alives
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    VPN Keep-Alives

    Table of Contents

    VPN Keep-Alives

    VPN keep-alive packets determine whether a given path is reachable for an Prisma SD-WAN ION device. You can configure VPN Keep-Alives for circuit categories, circuits, and Secure Fabric Links.
    VPN keep-alive packets determine whether a given path is reachable for an ION device. VPN keep-alive packets are sent at a fixed interval on a VPN link. The VPN link is declared down, if the peer is unreachable after a certain number of attempts and a certain period of time.
    The location of the ION device in a network topology plays an important role in configuring VPN keep-alives. For example, you need to configure a higher value of the keep-alive Interval between two ION devices behind routers as compared to the keep-alive Interval between two ION devices not behind routers.
    VPN keep-alives are configured at the following levels:
    The order of precedence for VPN keep-alives is as follows:
    • VPN keep-alives configured at the secure fabric link level have the highest priority.
    • If VPN keep-alives are not configured at the secure fabric link level, then VPN keep-alives configured at the circuits level take effect.
    • If VPN keep-alives are not configured at both secure fabric link level and circuits level, then VPN keep-alives configured at the circuit categories level take effect.
    If there is a mismatch in configuration between two VPN endpoints, then:
    • The keep-alive configuration with the larger keep-alive interval takes effect.
    • If keep-alive intervals are the same, then the configuration with the higher keep-alive failure count takes effect.

    Configure VPN Keep-Alives for Circuit Categories

    For metered links, where there is a cost for usage (such as LTE interfaces), VPN keep-alives can be adjusted to minimize the usage of the link and any costs associated with using the link. VPN keep-alives can also be modified for unreliable circuits that experience high latency and loss such as satellites.
    1. Select
      Manage
      ,
      Resources
      , and then select
      Circuit Categories
      .
    2. Edit a circuit category and enter values for
      Keep-Alive Failure Count
       and
      Keep-Alive Interval
      .
      • For
        Keep-Alive Failure Count
        , enter a value between 3 and 30.
        The
        Keep-Alive Failure Count
         indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
      • For
        Keep-Alive Interval
        , enter a value between 100 ms and 600000 ms.
        The
        Keep-Alive Interval
         indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is1000 ms.
    3. Select
      Use for Controller Connections
       and
      Use for Application Reachability Probes
      , as required for this selected circuit category.
    4. Click
      Update
      .

    Configure VPN Keep-Alives for Circuits

    1. Select
      Workflows
      Sites/Data Centers
      Select a Site
      Configuration
      .
    2. Click
      Change Circuits
       for either
      Internet Circuits
       or
      Private WAN Circuits
      .
    3. Click
      Edit
       below the circuit.
    4. In VPN Configs, for
      Keep-Alive Fail Count
      , enter a value between 3 and 30.
      The Keep-Alive Fail Count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
      1. For
        Keep-Alive Interval
        , enter a value between 100 ms and 600000 ms.
        The Keep-Alive Interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is 1000 ms.
      2. Select the
        Override VPN Keep-Alive
         check box to use the VPN keep-alive values configured on the
        Circuit Information
         screen.
        When you select the
        Override VPN Keep-Alive
         check box, it implies that VPN keep-alive values configured for circuits are considered, and values configured for circuit categories are ignored.
    5. For
      Controller Connections
       and
      Application Reachability Probes
      , select
      Yes
      ,
      No
      , or
      Use Circuit Category Setting
       from the drop-down.
    6. Click
      Done
      .

    Configure VPN Keep-Alives for Secure Fabric Links

    1. From
      Map
      , select a branch site and click
      Overlay Connections
      .
    2. Select an overlay from either
      Branch-DC
      , or
      Branch-Branch
      .
    3. On
      Secure Fabric Link
       screen, click the edit icon and select the
      Enable VPN Configs
       check box.
    4. For
      Keep-Alive Failure Count
      , enter a value between 3 and 30.
      The keep-alive failure count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
    5. For
      Keep-Alive Interval
      , enter a value between 100 ms and 600000 ms.
      The keep-alive interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is 1000 ms.
    6. Click
      Save
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.