Focus

VPN Keep-Alives

Table of Contents

Filter

Expand All | Collapse All

Prisma SD-WAN Docs

Administration
Deployment
Incidents & Alerts
CloudBlades
Version
- AWS Transit Gateway
- Azure vWAN
- Azure vWAN with vION
- ChatBot for MS Teams
- ChatBot for Slack
- CloudBlades Integration with Prisma Access
- GCP NCC
- Service Now
- Zoom QSS
- Zscaler Internet Access
Reference
Release Notes
Version
- ION 5.2
- ION 5.3
- ION 5.4
- ION 5.5
- ION 5.6
- ION 6.0
- ION 6.1
- ION 6.2
- ION 6.3
- ION 6.4
- New Features Guide
- On-Premises Controller
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
- Prisma SD-WAN CloudBlades

Configure IP Directed Broadcast

Use External Services for Monitoring

VPN Keep-Alives

VPN keep-alive packets determine whether a given path is reachable for an Prisma SD-WAN. You can configure VPN Keep-Alives for circuit categories, circuits, and Secure Fabric Links.

Where Can I Use This?	What Do I Need?
Prisma SD-WAN	Active Prisma SD-WAN license

VPN keep-alive packets determine whether a given path is reachable for an ION device. VPN keep-alive packets are sent at a fixed interval on a VPN link. The VPN link is declared down, if the peer is unreachable after a certain number of attempts and a certain period of time.

The location of the ION device in a network topology plays an important role in configuring VPN keep-alives. For example, you need to configure a higher value of the keep-alive Interval between two ION devices behind routers as compared to the keep-alive Interval between two ION devices not behind routers.

VPN keep-alives are configured at the following levels:

Configure VPN Keep-Alives for Circuit Categories
Configure VPN Keep-Alives for Circuits
Configure VPN Keep-Alives for Secure Fabric Links

The order of precedence for VPN keep-alives is as follows:

VPN keep-alives configured at the secure fabric link level have the highest priority.
If VPN keep-alives are not configured at the secure fabric link level, then VPN keep-alives configured at the circuits level take effect.
If VPN keep-alives are not configured at both secure fabric link level and circuits level, then VPN keep-alives configured at the circuit categories level take effect.

If there is a mismatch in configuration between two VPN endpoints, then:

The keep-alive configuration with the larger keep-alive interval takes effect.
If keep-alive intervals are the same, then the configuration with the higher keep-alive failure count takes effect.

Configure VPN Keep-Alives for Circuit Categories

For metered links, where there is a cost for usage (such as LTE interfaces), VPN keep-alives can be adjusted to minimize the usage of the link and any costs associated with using the link. VPN keep-alives can also be modified for unreliable circuits that experience high latency and loss such as satellites.

Select Manage, Resources, and then select Circuit Categories.
Edit a circuit category and enter values for Keep-Alive Failure Count and Keep-Alive Interval.
- For Keep-Alive Failure Count, enter a value between 3 and 30.
  The Keep-Alive Failure Count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
- For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
  The Keep-Alive Interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is1000 ms.
Select Use for Controller Connections and Use for Application Reachability Probes, as required for this selected circuit category.
Click Update.

Configure VPN Keep-Alives for Circuits

SelectWorkflowsSites/Data CentersSelect a SiteConfiguration.
Click Change Circuits for either Internet Circuits or Private WAN Circuits.
Click Edit below the circuit.
In VPN Configs, for Keep-Alive Fail Count, enter a value between 3 and 30.

The Keep-Alive Fail Count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
1. For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
  
  The Keep-Alive Interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is 1000 ms.
2. Select the Override VPN Keep-Alive check box to use the VPN keep-alive values configured on the Circuit Information screen.
  
  When you select the Override VPN Keep-Alive check box, it implies that VPN keep-alive values configured for circuits are considered, and values configured for circuit categories are ignored.
For Controller Connections and Application Reachability Probes, select Yes, No, or Use Circuit Category Setting from the drop-down.
Click Done.

Configure VPN Keep-Alives for Secure Fabric Links

From Map, select a branch site and click Overlay Connections.
Select an overlay from either Branch-DC, or Branch-Branch.
On Secure Fabric Link screen, click the edit icon and select the Enable VPN Configs check box.
For Keep-Alive Failure Count, enter a value between 3 and 30.

The keep-alive failure count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.

The keep-alive interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is 1000 ms.
Click Save.

Configure IP Directed Broadcast

Use External Services for Monitoring

Prisma SD-WAN Docs

VPN Keep-Alives

Prisma SD-WAN Docs

VPN Keep-Alives

Configure VPN Keep-Alives for Circuit Categories

Configure VPN Keep-Alives for Circuits

Configure VPN Keep-Alives for Secure Fabric Links

Activation & Onboarding

SASE

Visibility & Monitoring

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

Prisma SD-WAN Integration

Prisma SD-WAN Experts Corner

Best Practices