Understanding Heartbeat Messages

When server-member communication is configured, the server sends heartbeat messages to members at specified intervals (the default interval is 300 seconds). The heartbeat mechanism allows members to reregister with the server if the specified number of heartbeats is not received. For example, members will not receive heartbeat messages during a server reboot. When the server has rebooted, members reregister with the server.

Heartbeats are transmitted through groupkey-push messages. The sequence number is incremented on each heartbeat message, which protects members from reply attacks. Unlike rekey messages, heartbeat messages are not acknowledged by recipients and are not retransmitted by the server.

Heartbeat messages contain the following information:

• Current state and configuration of the keys on the server
• Relative time, if antireplay is enabled

By comparing the information in the heartbeats, a member can detect whether it has missed server information or rekey messages. The member reregisters to synchronize itself with the server.

Note: Heartbeat messages can increase network congestion and cause unnecessary member reregistrations. Thus, heartbeat detection can be disabled on the member if necessary.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Group VPN Configuration Overview
• Understanding Server-Member Communication
• Understanding the GDOI Protocol
• Understanding Group Servers and Members