09-15-2008 02:54 PM
I have a route based VPN between a SSG520 and a supplier. Every 90 seconds the VPN goes down and then comes back up again.
I have VPN Monitor, Optimised and Rekey all enabled for this VPN. If I turn these off then the VPN doesnt establish at all. - I suspect this is because the tunnel interface is down so rather than routing via the tunnel it simply sends the traffic out the default route.
Has anyone else had this problem? and are there any tricks I can do to either have the VPN only come up when needed, or have it stay up for longer than 90 seconds each time?
The SSG520 is running 6.0.0r6.0. A route based VPN has been used because I have to use a MIP to hide a machine on our side behind a public IP, which I couldnt get going under a policy based VPN.
Solved! Go to Solution.
09-15-2008 03:20 PM
ok... done a bit more research. The issue is that the only IP which can communicate down the tunnel is the MIPed IP, so the VPN monitor is unable to verify the tunnel is up and rekeys the tunnel every 90 secs.
As I dont want a log full of critical errors I need to find some other way to make the tunnel come up when sessions start rather than using the VPN monitor to keep it up.
Is that a feature of Route Based VPNs that if the tunnel interface goes down then traffic wont try to route out the VPN and bring the VPN back up?
09-15-2008 03:36 PM - edited 09-15-2008 03:37 PM
Turn VPN monitoring off. When monitoring is off the traffic is only brought up when traffic tries to go down the tunnel. The tunnel interface shouldnt be in a down state it should be in a ready state when you dont use VPN monitor. This allows traffic to be passed to the tunnel interface to bring up the tunnel.
Do you see the tunnel interface in a ready state??
Do you see the route for the tunnel interface active in the routing table?