search cancel

IPsec Tunnel Configurations to Avoid Failures

book

Article ID: 174107

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The IPsec tunnel of the Firewall/VPN connection to the Web Security Service (WSS) data center either won't pass traffic or is going down and then not being reestablished (may stay connected for a time, but it keeps disconnecting).

Cause

There are many potential causes for an IPsec tunnel to go down which may not be directly related to WSS. Common causes of IPsec tunnel disconnect include, but are not limited to:

  • Dead Peer Detection (DPD) is not enabled.
    • No tunnel monitoring method is in place.
  • Phase 1 and phase 2 timeout values (lifetimes) are set too high.
  • Phase 2 timeout value is set higher than that of phase 1.
  • Traffic to the WSS data center over TCP ports 80 and/or 443 is getting blocked.
  • Traffic over UDP ports 500 and 4500 is not being allowed.
  • DPD from WSS data center over port 500 is getting blocked (potentially by an application).
  • More than 1 IPsec tunnel has been created with the same egress IP, each one pointing to a different data-center.

Resolution

Follow these steps to better optimize your environment for a seamless experience with WSS.

  1. Ensure that TCP ports 80 and 443 are open for traffic to WSS data center IP address(es).
  2. Ensure that UDP ports 500 (for phase 1 negotiation and DPD) and 4500 (for phase 2 negotiation) are open.
  3. Ensure that the phase 1 lifetime is set to 24 hours. The phase 1 lifetime must be greater than that of phase 2.
  4. Ensure that the phase 2 lifetime is set to 4 hours (IKEv1). A phase 2 lifetime much higher than this can be problematic.
  5. Ensure that DPD is enabled (recommended interval of 10 seconds) to monitor phase 1.
    • This is used not only in keeping the tunnel to a specific data center active by allowing seamless transition to different data pods in a data center in accordance with load balancing, but also in failing over to a backup IPsec tunnel to a different data center if such a tunnel is configured in the portal and firewall/router.
    • It is also recommended to implement a tunnel monitor, such as Keepalive, IP SLA, or VPN Monitor to make sure traffic goes through the tunnel.

For further information on IPsec tunnel requirements, see Connectivity: VPN Pre-Shared Key with Static IP.

NOTE: These steps are necessary for a typical environment to be optimized for a seamless experience with WSS, but they do not encompass the needs of every environment.

To address further issues, see the links to articles below: