To provide uninterrupted VPN service, you can use the Dead Peer Detection capability along with the tunnel monitoring capability on the firewall. You can also monitor the status of the tunnel. These monitoring tasks are described in the following sections:
Define a Tunnel Monitoring Profile
A tunnel monitoring profile allows you to verify connectivity between the VPN peers; you can configure the tunnel interface to ping a destination IP address at a specified interval and specify the action if the communication across the tunnel is broken.
Define a Tunnel Monitoring Profile
Select Network > Network Profiles > Monitor. A default tunnel monitoring profile is available for use.
Click Add, and enter a Name for the profile.
Select the Action if the destination IP address is unreachable. Wait Recover —the firewall waits for the tunnel to recover. It continues to use the tunnel interface in routing decisions as if the tunnel were still active. Fail Over —forces traffic to a back-up path if one is available. The firewall disables the tunnel interface, and thereby disables any routes in the routing table that use the interface. In either case, the firewall attempts to accelerate the recovery by negotiating new IPSec keys.
Specify the Interval and Threshold to trigger the specified action. The threshold specifies the number of heartbeats to wait before taking the specified action. The range is 2-100 and the default is 5. The Interval measures the time between heartbeats. The range is 2-10 and the default is 3 seconds.
Attach the monitoring profile to the IPsec Tunnel configuration. See Enable Tunnel Monitoring.
View the Status of the Tunnels
The status of the tunnel informs you about whether or not valid IKE phase-1 and phase-2 SAs have been established, and whether the tunnel interface is up and available for passing traffic.
Because the tunnel interface is a logical interface, it cannot indicate a physical link status. Therefore, you must enable tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down and routing changes are triggered to set up a new tunnel and redirect traffic.
View Tunnel Status
Select Network > IPSec Tunnels.
View the Tunnel Status. Green indicates a valid IPSec SA tunnel. Red indicates that IPSec SA is not available or has expired.
View the IKE Gateway Status. Green indicates a valid IKE phase-1 SA. Red indicates that IKE phase-1 SA is not available or has expired.
View the Tunnel Interface Status. Green indicates that the tunnel interface is up. Red indicates that the tunnel interface is down, because tunnel monitoring is enabled and the status is down.
To troubleshoot a VPN tunnel that is not yet up, see Interpret VPN Error Messages.
Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel
You can enable, disable, refresh or restart an IKE gateway or VPN tunnel to make troubleshooting easier.
Enable or Disable an IKE Gateway or IPSec Tunnel
Enable or Disable an IKE Gateway or IPSec Tunnel
Enable or disable an IKE gateway. Select Network > Network Profiles > IKE Gateways and select the gateway you want to enable or disable. At the bottom of the screen, click Enable or Disable.
Enable or disable an IPSec tunnel. Select Network > IPSec Tunnels and select the tunnel you want to enable or disable. At the bottom of the screen, click Enable or Disable.
Refresh and Restart Behaviors
The refresh and restart behaviors for an IKE gateway and IPSec tunnel are as follows:
Phase Refresh Restart
IKE Gateway (IKE Phase 1) Updates the onscreen statistics for the selected IKE gateway. Equivalent to issuing a second show command in the CLI (after an initial show command). Restarts the selected IKE gateway. IKEv2: Also restarts any associated child IPSec security associations (SAs). IKEv1: Does not restart the associated IPSec SAs. A restart is disruptive to all existing sessions. Equivalent to issuing a clear, test, show command sequence in the CLI.
IPSec Tunnel (IKE Phase 2) Updates the onscreen statistics for the selected IPSec tunnel. Equivalent to issuing a second show command in the CLI (after an initial show command). Restarts the IPSec tunnel. A restart is disruptive to all existing sessions. Equivalent to issuing a clear, test, show command sequence in the CLI.
Refresh or Restart an IKE Gateway or IPSec Tunnel
Restart an IKEv2 gateway has a result different from restarting an IKEv1 gateway.
Refresh or Restart an IKE Gateway or IPSec Tunnel
Refresh or restart an IKE gateway. Select Network > IPSec Tunnels and select the tunnel for the gateway you want to refresh or restart. In the row for that tunnel, under the Status column, click IKE Info. At the bottom of the IKE Info screen, click the action you want: Refresh —Updates the statistics on the screen. Restart —Clears the SAs, so traffic is dropped until the IKE negotiation starts over and the tunnel is recreated.
Refresh or restart an IPSec tunnel. You might determine that the tunnel needs to be refreshed or restarted because you use the tunnel monitor to monitor the tunnel status, or you use an external network monitor to monitor network connectivity through the IPSec tunnel. Select Network > IPSec Tunnels and select the tunnel you want to refresh or restart. In the row for that tunnel, under the Status column, click Tunnel Info. At the bottom of the Tunnel Info screen, click the action you want: Refresh —Updates the onscreen statistics. Restart —Clears the SAs, so traffic is dropped until the IKE negotiation starts over and the tunnel is recreated.

Related Documentation