VPN pass-through fails intermittently through a cluster
|Article:TECH88797|||||Created: 2008-01-09|||||Updated: 2012-03-27|||||Article URL http://www.symantec.com/docs/TECH88797|
You are passing a UDP-encapsulated VPN through your firewall cluster to a VPN concentrator. You have configured rules to allow VPN pass-through, but the traffic fails intermittently.
UDP connections use the individual node addresses as they exit the cluster, rather than the cluster Virtual IP (VIP) address. Most VPNs use a pair of connections, one for tunnel negotiation and the other for encrypted data. If the two connections are assigned to different nodes, the VPN tunnel connects but does not pass traffic. Normally, enabling Stateful Failover would cause connections to use the VIP address, but this is not possible with UDP traffic.
To ensure that both connections are assigned to the same node, add the concentrator's IP address to Traffic Grouping.
To add an IP address to Traffic Grouping:
In the Security Gateway Management Interface (SGMI):
- On the left pane, under "Cluster", select Traffic Grouping.
- On the right pane, enter the IP address of the VPN concentrator in the "IP address" field.
- Click Add. (The IP address will then appear in the "Destination IP addresses" list.)
Wait for at least one minute so that the IP will clear from the state table (UDP timeout value).
NOTE: To prevent premature disconnects and constant tunnel renegotiations, add the following advanced option to increase the UDP encapsulation timeout: udp-gsp.4500/udp.timeout = 300 This option increases the timeout to 300 (5 minutes), compared to the default of 60 (1 minute). To increase the time to 10 minutes, increase the value to 600. Port 4500 is standard for UDP encapsulation, but may be different for individual concentrators. The appropriate port number should be entered.
Article URL http://www.symantec.com/docs/TECH88797