The IPsec tunnel of the Firewall/VPN connection to the Web Security Service (WSS) data center either won't pass traffic or is going down and then not being re-established (may stay connected for a time, but it keeps disconnecting).
There are many potential causes for an IPsec tunnel to go down which may not be directly related to WSS. Common causes of IPsec tunnel disconnects include, but are not limited to:
Dead Peer Detection (DPD) is not enabled.
No tunnel monitoring method is in place.
Phase 1 and phase 2 timeout values (lifetimes) are set too high.
Phase 2 timeout value is set higher than that of phase 1.
Traffic to the WSS data center over TCP ports 80 and/or 443 is getting blocked.
Traffic over UDP ports 500 and 4500 is not being allowed.
DPD from WSS data center over port 500 is getting blocked (potentially by an application).
More than 1 IPsec tunnel has been created with the same egress IP, each one pointing to a different data-center.
Resolution
Follow these steps to better optimize your environment for a seamless experience with WSS.
Ensure that UDP ports 500 (for phase 1 negotiation and DPD) and 4500 (for phase 2 negotiation) are open.
Ensure that the phase 1 lifetime is set to 24 hours. The phase 1 lifetime must be greater than that of phase 2.
Ensure that the phase 2 lifetime is set to 4 hours (IKEv1). A phase 2 lifetime much higher than this can be problematic.
Ensure that DPD is enabled (recommended interval of 10 seconds) to monitor phase 1.
This is used not only in keeping the tunnel to a specific data center active by allowing seamless transition to different data pods in a data center in accordance with load balancing, but also in failing over to a backup IPsec tunnel to a different data center if such a tunnel is configured in the portal and firewall/router.
It is also recommended to implement a tunnel monitor, such as Keepalive, IP SLA, or VPN Monitor to make sure traffic goes through the tunnel.
* Remember, Cloud SWG supports up to 1 GBps of bandwidth per IPsec tunnel. Exceeding this limitation may result in performance issues. If you are unsure about how to split traffic between multiple public IPs exiting your network, contact Broadcom support for assistance.
NOTE: These steps are necessary for a typical environment to be optimized for a seamless experience with WSS, but they do not encompass the needs of every environment.
To address further issues, see the links to articles below:
The following limitations apply to using IPsec: Network Address Translation (NAT) is not supported.Authentication Header (AH) is not supported. All supported extension platforms enable IPsec-specific statistics as well as IPsec on IPv6 and IPv4-based tunnels.
An IPSec tunnel negotiation can fail due to the negotiation packets being dropped along the path between the end devices. The packets dropped can be phase 1 or phase 2 packets.
The era of relying on the cumbersome, outdated IPsec is fading. The emergence of WireGuard brings a breath of fresh air to secure networking, offering simplicity, performance, and enhanced security. As organizations evolve and demand more from their secure communication protocols, the choice becomes evident.
Both IPSec and OpenVPN combine security and speed, with IPSec offering a slightly faster connection, while OpenVPN is considered the more secure option. IPSec wins for ease of use because it's already built into many platforms, meaning it doesn't require separate installation.
IPsec provides network-layer security, encrypting entire data packets, making it a popular choice for full network communications. On the other hand, SSL VPNs focus on application-layer security, ensuring only specific application data is encrypted. The "more secure" label depends on the context.
CPU overheads: IPsec uses a large amount of computing power to encrypt and decrypt data moving through the network. This can degrade network performance.
There are two methods which can make the firewall attempt to keep a non-mobile IPsec tunnel up and active at all times: automatic ping and periodic check. These options are available in the settings for each IPsec phase 2 entry. See Keep Alive for additional details on these settings.
Step 1: Creating Extended ACL. Next step is to create an access-list and define the traffic we would like the router to pass through the VPN tunnel. ...
Introduction: My name is Tish Haag, I am a excited, delightful, curious, beautiful, agreeable, enchanting, fancy person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.