Juniper – configure optimized VPN Monitor

Juniper Networks – How do you enable the optimized feature of VPN Monitor on a J Series or SRX Series device, and what does it do? – Knowledge Base.

 

 

Configuring the Source Interface and Destination IP options of VPN Monitor on J-Series and SRX devices

 


Summary:

VPN Monitor is Down.  Remote VPN device may have ICMP echo requests blocked or a third-party product does not respond to ICMP echo requests.

Problem or Goal:

VPN is in the Active/Down state because the VPN Monitor is down. Some possible reasons for the VPN Monitor down condition are:

    • Remote VPN connection is configured to block ICMP echo requests
  • Remote VPN connection is a third-party product that does not respond to ICMP echo requests

When VPN Monitor is enabled and a source interface is not chosen, the Firewall device uses the outgoing interface as the default.

When VPN Monitor is enabled and a destination IP address is not specified, the Firewall device uses the IP address for the remote gateway.

Solution:

Configure VPN Monitor to use the Source interface and Destination IP options.

From J-Web:

  • Navigate to Configuration > IPSec VPN > Auto Tunne l> Phase II >Autokey
  • If you have already configured a VPN and want to enable VPN monitor then click edit or else click add.
  • The VPN Monitor settings are under the IPSec VPN Options Tab as shown below:

Configuring the Source Interface and Destination IP options of VPN Monitor on J-Series and SRX devices

Summary:

VPN Monitor is Down.  Remote VPN device may have ICMP echo requests blocked or a third-party product does not respond to ICMP echo requests.

Problem or Goal:

VPN is in the Active/Down state because the VPN Monitor is down. Some possible reasons for the VPN Monitor down condition are:

    • Remote VPN connection is configured to block ICMP echo requests
  • Remote VPN connection is a third-party product that does not respond to ICMP echo requests

When VPN Monitor is enabled and a source interface is not chosen, the Firewall device uses the outgoing interface as the default.

When VPN Monitor is enabled and a destination IP address is not specified, the Firewall device uses the IP address for the remote gateway.

Solution:
Configure VPN Monitor to use the Source interface and Destination IP options.

From J-Web:

  • Navigate to Configuration > IPSec VPN > Auto Tunne l> Phase II >Autokey
  • If you have already configured a VPN and want to enable VPN monitor then click edit or else click add.
  • The VPN Monitor settings are under the IPSec VPN Options Tab as shown below:
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s