-1

Which setting(s) tell(s) a hardware firewall to try to reestablish a site-to-site VPN as soon as possible after a cause of failure has been corrected?

We have a site-to-site VPN (firewall to firewall) that my applications depend on. For years now, whenever the VPN has failed because of something like a power outage, it would come back to life within a minute or two after the electrical power was restored, without any action on my part. The firewalls on either side would somehow manage to get the handshake going again.

We've gotten a new firewall, and new IT consultants are supporting our networking infrastructure. These days, after any sort of hiccup, electrical or otherwise, the VPN does not come back up after the hiccup is fixed, e.g. after power is restored, or after the ISP has remedied a problem that was affecting the IP address.

The settings on one of the two firewalls have been changed in some manner. The settings on the other firewall have not been touched.

I want to tell the IT consultants to make sure the ____ settings are correct so that the firewall comes back to life ASAP.

TRomano
  • 111
  • 7
  • There are a dozen different VPN technologies. There isn't a generic setting that would apply here. If you had told us the particular type of hardware/software, I am sure someone could have told you what is going on with that hardware. Also, it may not be a setting in directly in the VPN either. I saw one case on a device where the VPN process died if the network failed in a certain way, so keepalive settings may not help. Anyway if you tell your consults the problem the problem as you have explaine dit here, they should be able to fix it (if it can be fixed and isn't a hardware problem). – Zoredache Nov 29 '16 at 17:39
  • I agree, the consultants should be able to fix it. But what they want to do is to put a batch file on one server that pings the other at intervals, instead of examining the VPN config. – TRomano Nov 29 '16 at 22:03
  • That seems like an odd thing to do, but have you tried it? Did they explain why they thought that should 'fix' things? Is the VPN initiated by network activity or something? Or is this just something they want to you to do to collect data about the problem? – Zoredache Nov 29 '16 at 22:36
  • The consultant doesn't even know there's a command-line interface to the firewall. They want to initiate traffic from the remote server, so that the VPN comes back up after being down. – TRomano Nov 29 '16 at 22:42

2 Answers2

1

As soon as any traffic is initiated, the VPN should negotiate and come up. You can setup a keepalive to send traffic on a regular basis if you want it to come up and stay up all of the time, but it's really not necessary. It really depends on application. A single site to site might want it up all the time (saves a little time when traffic matches it), but if you have a central hub with a lot of VPNs, you might want them to drop when they time out to save on resources.

Dacid Salin
  • 204
  • 4
  • 12
  • This site-to-site VPN must be up 24x7x365. It is the only VPN. Is "a keepalive" something done in the firewall, as per Ipor's ansewr? Our consultants want to put a batch file on one of the servers that constantly pings the other server. I don't think they have expertise in the particular firewall the company bought. – TRomano Nov 29 '16 at 22:06
0

man openvpn:

   --keepalive n m
          A helper directive designed to simplify the expression of --ping
          and --ping-restart in server mode configurations.

          The server timeout is set twice the value of  the  second  argu‐
          ment.   This  ensures  that a timeout is detected on client side
          before the server side drops the connection.

          For example, --keepalive 10 60 expands as follows:

               if mode server:
                 ping 10
                 ping-restart 120
                 push "ping 10"
                 push "ping-restart 60"
               else
                 ping 10
                 ping-restart 60
Ipor Sircer
  • 1,226
  • 7
  • 8
  • I am tempted to downvote this, because OpenVPN is only one of many VPN technologies. A excerpt from the OpenVPN man page probably wouldn't be useful at all if they are using some vendors implementation of ipsec, pptp, sstp, or other proprietary protocol. – Zoredache Nov 29 '16 at 17:37