Site to site VPN tunnel state up and down

0

Hi,

Our site to site VPN tunnels kept going up and down. From the vpn log, I saw 'AWS tunnel is deleting IKE_SA between <one of the vpn tunnels ip address> and <customer gateway>. Below are some settings I used: phase 1 lifetime : 28,800 seconds phase 2 lifetime : 3,600 seconds rekey margin time : 270 seconds dpd timeout : 30 seconds dpd action : clear startup action: add

What setting(s) can I adjust to make both tunnels up 100%?

Thanks, PH

asked 24 days ago111 views
1 Answer
4
Accepted Answer

When dealing with site-to-site VPN tunnels that keep going up and down, it is often due to configuration settings related to the negotiation of security associations and the detection of peer availability. Based on the settings you provided and common best practices, here are some adjustments you can make to improve the stability of your VPN tunnels:

1.Increase Phase 1 and Phase 2 Lifetime:

Phase 1 Lifetime (IKE): Currently set to 28,800 seconds (8 hours). Increase this to a longer duration such as 86,400 seconds (24 hours) to reduce the frequency of IKE rekeying.

Phase 2 Lifetime (IPsec): Currently set to 3,600 seconds (1 hour). Increase this to a longer duration such as 14,400 seconds (4 hours) to reduce the frequency of IPsec rekeying.

Adjust Rekey Margin Time:

Rekey Margin Time: Currently set to 270 seconds (4.5 minutes). Increase this to a longer duration such as 900 seconds (15 minutes). This gives more time for rekeying negotiations to complete before the current security association expires. Adjust Dead Peer Detection (DPD) Settings:

DPD Timeout: Currently set to 30 seconds. Increase this to a longer duration, such as 60 seconds or 120 seconds. This allows more time for detecting inactive peers before taking action.

DPD Action: The "clear" action is used to clear IKE and IPsec Security Associations (SAs) if a peer is unreachable. Ensure that this action is suitable for your network requirements. If "clear" is causing frequent tunnel resets, you might consider using "restart" or "hold" depending on your network's behavior and needs.

Recommended Settings

Phase 1 Lifetime: 86,400 seconds (24 hours) Phase 2 Lifetime: 14,400 seconds (4 hours) Rekey Margin Time: 900 seconds (15 minutes) DPD Timeout: 60-120 seconds DPD Action: clear (or consider "restart" or "hold" if "clear" is problematic) Hope this is helpful

profile picture
answered 24 days ago
profile picture
EXPERT
reviewed 4 days ago
  • Thanks for the answer. After I increased the DPD interval from 10 seconds to 30 seconds on the office router, the connections are more stable now. But I didn't change the settings on the AWS side.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions