SRX

What is the difference between "VPN Monitor" and VPN "Dead Peer Detection"? 

The minimum check interval in VPN Dead Peer Detection is 10 seconds, and we want to check at least twice before the tunnel is declared dead.  So this means at least (10 second interval x 2 tries) 20 seconds before an unresponsive tunnel is declared dead and OSPF changes the route (to a less desirable tunnel). 

I'm looking for a way to more quickly determine when a VPN is declared "down" so OSPF can respond a lot more quickly to LEGITIMATE outages-- within a few seconds at most.  Problem is, if Dead Peer Detection is set to declare death after a single missed response, we risk needlessly flapping our tunnel routes every time a single "check for up" packet is lost.

Is VPN Monitor a better choice?  If pings from VPN Monitor fail, will the tunnel be declared dead more quickly-- or does the system still wait for the Dead Peer Detection to trigger?

Bottom line question-- what is the best practice for (a) discovering a dead tunnel more quickly than 10-20 seconds, (b) without needless false "dead" alarms that will trigger a route change?

Advice, please.

Hi,

please check below

http://books.google.ae/books?id=qPBHeZL7fcUC&pg=PA269&lpg=PA269&dq=DPD+is+that+it+doesn%E2%80%99t+necessarily+mean+the+underlying+VPN+is+up+and+running&source=bl&ots=PUPQgq72HX&sig=lP2D5TyQ3Jr2kbwnIWdkNqsxvRQ&hl=ar&sa=X&ei=bSCdT7bXLMuJrAeehoh0&ved=0CB0Q6AEwAA#v=onepage&q=DPD%20is%20that%20it%20doesn%E2%80%99t%20necessarily%20mean%20the%20underlying%20VPN%20is%20up%20and%20running&f=false

One issue with DPD is that it doesn’t necessarily mean the underlying VPN is up and running, just
that the peer is up and responding. VPN monitoring is not an Ipsec standard feature, but it utilizes
Internet Control Message Protocol (ICMP) to determine if the VPN is up. VPN monitoring allows
the SRX to send ICMP traffic either to the peer gateway, or to another destination on the other end
of the tunnel (such as a server), along with specifying the source IP address of the ICMP traffic. If
the ICMP traffic fails, the VPN is considered down.

Regards,

Mohamed Elhariry

JNCIE-M/T # 1059, CCNP & CCIP

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

use the following link if  want to more info on Dead Peer Detection (DPD) behavior on SRX:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21652

and if you run into some of the limitations, use the following link to configure VPN monitroing:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10119&smlogin=true

In addition to what the others have said, 

VPN monitoring is Juniper propriety and it works only with ScreenOS and Juniper devices; works on top of Phase 2 SA; it guarantees the data path. Thee are many settings you can specify, such as; optimized, interval, threshold etc.Interval range is 1-3600 seconds
DPD on the othr hand works on top of Phase 1 and is a standard which allows inter-operability with other vendors. Intrval range is 10-60 seconds

The options that you chose will depend on the devices you are peering with and the additional options available for each of the senario.

---

@lyndidon wrote:

 

VPN monitoring is Juniper propriety and it works only with ScreenOS and Juniper devices

---

This is not correct - it's simply a ping across the tunnel, so any device on the far side that will repsond to pings can be used as the destination IP. One caveat is to make sure that whatever you use as your source is within any relevant proxy-ID pairs, if applicable.