Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

vpn-monitor

Syntax

Hierarchy Level

Description

Configure settings for VPN monitoring.

Options

destination-ip

Specify the destination of the Internet Control Message Protocol (ICMP) pings. If this statement is used, the device uses the peer's gateway address by default.
optimized

Enables VPN monitoring optimization for the specific VPN tunnel.

When the administrator enables VPN monitoring optimization, the SRX Series Firewall sends ICMP echo requests (pings) only when there is an outgoing traffic and no incoming traffic from the configured peer, through the VPN tunnel. If there is an incoming traffic through the VPN tunnel, the SRX Series Firewall considers the tunnel to be active and does not send pings to the peer.

VPN monitoring optimization saves resources on the SRX Series Firewall as ICMP echo requests are sent only when needed to determine peer liveliness. Also, ICMP echo requests can activate costly backup links that would otherwise not be used.

  • Default: Disabled.

    If the administrator does not configure the option explicitly, the firewall sends VPN monitoring packet once every configured interval, also knows as always-send, by default. For more details, see Understanding VPN Monitoring.
source-interface

Specify the source interface for ICMP requests (VPN monitoring “hellos”). If no source interface is specified, the device automatically uses the local tunnel endpoint interface.
verification-path

Specify the verification path to verify the IPsec datapath before the secure tunnel (st0) interface is activated and route(s) associated with the interface are installed in the Junos OS forwarding table.

  • destination-ip ip-address—Original, untranslated IP address of the peer tunnel endpoint that is behind a NAT device. This IP address must not be the NAT translated IP address. This option is required if the peer tunnel endpoint is behind a NAT device. The verify-path ICMP request is sent to this IP address so that the peer can generate an ICMP response.

  • packet-size bytes—(Optional) The size of the packet that is used to verify an IPsec datapath before the st0 interface is brought up. The packet size must be lower than the path maximum transmission unit (PMTU) minus tunnel overhead. The packet used for IPsec datapath verification must not be fragmented. The range of the packet size is 64 to 1350 bytes and the default packet size value is 64 bytes

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Support for verify-path keyword and destination-ip added in Junos OS Release 15.1X49-D70.

Support for packet-size option added in Junos OS Release 15.1X49-D120.

Support for vpn-monitor and verify-path options with IPsec VPN running iked process is introduced in Junos OS Release 23.4R1.

Related Documentation