Prisma SD-WAN Administrator’s Guide
    : VPN Keep-Alives
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Prisma SD-WAN Ports and Interfaces
    7. VPN Keep-Alives
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    VPN Keep-Alives

    Table of Contents

    VPN Keep-Alives

    VPN keep-alive packets determine whether a given path is reachable for an Prisma SD-WAN. You can configure VPN Keep-Alives for circuit categories, circuits, and Secure Fabric Links.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Active Prisma SD-WAN license
    VPN keep-alive packets determine whether a given path is reachable for an ION device. VPN keep-alive packets are sent at a fixed interval on a VPN link. The VPN link is declared down, if the peer is unreachable after a certain number of attempts and a certain period of time.
    The location of the ION device in a network topology plays an important role in configuring VPN keep-alives. For example, you need to configure a higher value of the keep-alive Interval between two ION devices behind routers as compared to the keep-alive Interval between two ION devices not behind routers.
    VPN keep-alives are configured at the following levels:
    The order of precedence for VPN keep-alives is as follows:
    • VPN keep-alives configured at the secure fabric link level have the highest priority.
    • If VPN keep-alives are not configured at the secure fabric link level, then VPN keep-alives configured at the circuits level take effect.
    • If VPN keep-alives are not configured at both secure fabric link level and circuits level, then VPN keep-alives configured at the circuit categories level take effect.
    If there is a mismatch in configuration between two VPN endpoints, then:
    • The keep-alive configuration with the larger keep-alive interval takes effect.
    • If keep-alive intervals are the same, then the configuration with the higher keep-alive failure count takes effect.

    Configure VPN Keep-Alives for Circuit Categories

    For metered links, where there is a cost for usage (such as LTE interfaces), VPN keep-alives can be adjusted to minimize the usage of the link and any costs associated with using the link. VPN keep-alives can also be modified for unreliable circuits that experience high latency and loss such as satellites.
    1. Select Manage, Resources, and then select Circuit Categories.
    2. Edit a circuit category and enter values for Keep-Alive Failure Count and Keep-Alive Interval.
      • For Keep-Alive Failure Count, enter a value between 3 and 30.
        The Keep-Alive Failure Count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
      • For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
        The Keep-Alive Interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is1000 ms.
    3. Select Use for Controller Connections and Use for Application Reachability Probes, as required for this selected circuit category.
    4. Click Update.

    Configure VPN Keep-Alives for Circuits

    1. SelectWorkflowsSites/Data CentersSelect a SiteConfiguration.
    2. Click Change Circuits for either Internet Circuits or Private WAN Circuits.
    3. Click Edit below the circuit.
    4. In VPN Configs, for Keep-Alive Fail Count, enter a value between 3 and 30.
      The Keep-Alive Fail Count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
      1. For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
        The Keep-Alive Interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is 1000 ms.
      2. Select the Override VPN Keep-Alive check box to use the VPN keep-alive values configured on the Circuit Information screen.
        When you select the Override VPN Keep-Alive check box, it implies that VPN keep-alive values configured for circuits are considered, and values configured for circuit categories are ignored.
    5. For Controller Connections and Application Reachability Probes, select Yes, No, or Use Circuit Category Setting from the drop-down.
    6. Click Done.

    Configure VPN Keep-Alives for Secure Fabric Links

    1. From Map, select a branch site and click Overlay Connections.
    2. Select an overlay from either Branch-DC, or Branch-Branch.
    3. On Secure Fabric Link screen, click the edit icon and select the Enable VPN Configs check box.
    4. For Keep-Alive Failure Count, enter a value between 3 and 30.
      The keep-alive failure count indicates the number of consecutive missed keep-alive packets before a link is declared as down. The default value is 3.
    5. For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
      The keep-alive interval indicates the time interval in milliseconds between two VPN keep-alive packets. The default value is 1000 ms.
    6. Click Save.

    © 2024 Palo Alto Networks, Inc. All rights reserved.