Support has verified that my site to site VPN is configured correctly, and I have the proper access

03/26/2020 11 12767

DESCRIPTION:
Support has verified that my site to site VPN is configured correctly, and I have the proper access rules in place to pass traffic. Why is my traffic being dropped periodically?

RESOLUTION:

Question:

Support has verified that my VPN is configured correctly, and I have the proper access rules in place to pass traffic. Why is my traffic being dropped periodically?

Answer:

Depending upon the nature of the traffic, and its behavior, there are a few possibilities in the absence of a misconfiguration.

If the traffic in question is Telnet, RDP, or SSH traffic (or any traffic which uses a textual interface), it's possible that the TCP connections are timing out too soon. Applications such as SSH and RDP do not send a lot of data over the VPN in certain situations, such as a screen which requires data entry, and very rarely changes. In these cases, it's possible that the firewall has not seen enough interesting traffic to reset the countdown on the TCP inactivity timeout setting on the firewall for the rule the traffic is using. In these cases, setting the TCP inactivity timeout to a higher value usually resolves the issue.

Another possibility is that the Dead Peer Detection function on the appliance may be getting interfered with somehow. When Dead Peer Detection is enabled, the device will send encrypted phase 1 notification data which contains an "R-U-THERE" message to a peer device. The peer device will then respond with an "R-U-THERE-ACK" message. The "R-U-THERE" message is sent only if the device has not received any traffic from the peer with the Dead Peer Detection Interval. If the device does not receive an "R-U-THERE-ACK" message during the interval, the peer is assumed to be offline, and the phase 1 SA and all following phase 2 SAs are removed for that peer.

In the case of traffic dropping, it's possible that something inbetween the endpoints is malforming or blocking R-U-THERE or R-U-THERE-ACK messages, at which point, the VPN would likely be torn down. If keepalive is enabled, the tunnel will then likely come right back up. This can often explain why connections drop for no apparent reason, but then are able to be re-created without issue.

The solution to this issue would be to disable dead peer detection altogther.