You can configure one or more VPN Link Monitors to monitor VPN connections using pings. If a ping failure indicates that a network path has failed, the VPN Link Monitor restarts the VPN tunnel to try to recover the connection.
The network path is from the LAN segment’s local IP address to the destination, which could either be within the tunnel or outside of the tunnel, depending on the tunnel setup and target address. For example, a full VPN tunnel to 8.8.8.8 would test via the tunnel, but in a split tunnel configuration, if the target address is outside the tunnel, the monitor would test the connectivity of the WAN link itself.
The VPN Link Monitor applies to IPsec tunnels in Client mode only.
To configure a VPN Link Monitor:
Once you have configured one or more VPN Link Monitors, you can include them in an IPsec Tunnel configuration under VPN LINK MONITORS to define tunnel failover behavior. When you apply multiple VPN Link Monitors to an IPsec tunnel, the first VPN Link Monitor that detects a connection failure will trigger a tunnel restart.
These are the settings you’ll find in the Create VPN Link Monitor screen.
SETTING | DESCRIPTION | DEFAULT SETTING | RANGE |
---|---|---|---|
NAME | Descriptive name for the Link Monitor. | n/a | n/a |
USER DEFINED SOURCE |
Enable to enter an IPv4 or IPv6 source for outgoing pings. When USER DEFINED SOURCE is disabled, you can select the AUTOMATIC PING SOURCE (see below). When configuring the IPsec VPN tunnel, traffic from local subnets to remote subnets is typically set. When a ping is executed, you may choose to send the ping as if it was from the local subnet to the remote subnet to validate the IPSEC security association. For example, if the destination is within the remote tunnel address, the ping monitor when set to AUTOMATIC PING SOURCE will send pings from the first local subnet defined for the VPN. Select USER DEFINED SOURCE if you want to validate a second subnet (if it is within the tunnel) and override the default of using the first local subnet. |
Disabled | Disabled, Enabled |
AUTOMATIC PING SOURCE |
When USER DEFINED SOURCE is disabled, select the source for outgoing pings. |
Uses outgoing interface | Uses outgoing interface, LAN Segments |
USER PING SOURCE |
When USER DEFINED SOURCE is enabled, enter the IPv4 or IPv6 address from which Link Monitor pings will be sent. |
n/a | IPv4 or IPv6 address |
PING TARGETS | Enter the Host IPv4 or IPv6 address that Link Monitor pings are sent to. | n/a | IPv4 or IPv6 address |
INTERVAL (SECONDS) | Sets how often pings are sent. You can also enable the SMART PING feature to set an IDLE THRESHOLD for VPN traffic at which pings will be sent. | 60 seconds | 1 to 300 seconds |
TIMEOUT (SECONDS) | Sets the Ping response timeout, which is how long the Link Monitor waits for a response to a ping. If a response is not received, the number of consecutive ping failures (MAX FAILURES) increases. | 3 seconds | 1 to 10 seconds |
MAX FAILURES | Sets the number of ping failures before the Link Monitor declares the tunnel is disconnected. | 3 | 2 to 10 |
PAYLOAD | Sets the size (in bytes) of each ping. If there are MTU size issues with the VPN tunnel, the payload can be be adjusted. | 20 bytes | 10 to 1200 bytes |
SMART PING |
By default, pings are sent according to the defined INTERVAL, but you can enable SMART PING to enter an IDLE THRESHOLD that triggers when pings are sent. Smart pings can reduce the amount of ICMP traffic sent over the WAN link, and also reduce the overhead on the VPN server. Instead of sending ICMP traffic every INTERVAL, internal IPsec statistics are evaluated to determine if the VPN appears to be active. However, if data costs are small and the additional overhead is not a concern, disabling SMART PING will validate the network path more accurately. |
Disabled | Disabled, Enabled |
IDLE THRESHOLD (KB) | Enter an IDLE THRESHOLD. Pings will only be sent when VPN traffic falls below this threshold. | 100 KB | 10 to 1024 KB |