VPN Monitoring

This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under "VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor".

The "rekey" option will cause the Netscreen to continuously try and send ICMP down the tunnel regardless of whether there are any valid SA`s.
When the "optimized" option is enabled the Netscreen will consider any traffic passing the tunnel as an indication that the tunnel is active rather then sending ICMP Pings.

When VPN Monitoring is used with Route based VPN`s, the associated tunnel routes will be disabled in the event of the tunnel being classed as down. This allows for the re-routing of traffic in the event of particular tunnel failures.
Using the "get sa" command, you can obtain the SA and Link Status. This can be found under the "Sta" column (SA/Link). If the VPN Monitor is not enabled you will see a dash for the Link status such as (A/-).

ns5gt-> get sa
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000002<   192.168.1.107  500 esp: des/md5  ef1d1675  3549 unlim A/U    -1 0
00000002>   192.168.1.107  500 esp: des/md5  b41eba07  3549 unlim A/U    -1 0

VPN Groups

This allows you to add a number of VPN gateways to a VPN group. In the event of failure the traffic flow is sent through another gateway within the group.

Using IKE heart beats and recovery attempts with TCP-SYN flag checking the gateway can failover to another gateway without any disruption to the traffic flow.To ensure that the other gateways can establish new tunnels in the event of failover without the need of the endpoints having to reconnect (i.e an initial SYN not being required) you will need to set the following setting : `unset flow tcp-syn-check-in-tunnel`

VPN Groups can be configured within "VPN`s | AutoKey Advanced | VPN Groups"

Note : VPN Groups only support Policy based VPN`s.