Updated on 2024-07-23 GMT+08:00

How Can I Prevent VPN Disconnections?

VPN connections are renegotiated when the IPsec SA lifetime is about to expire or the data transmitted through a VPN connection exceeds 20 GB. Usually, renegotiation does not interrupt VPN connections.

Most disconnections are caused by incorrect configurations at the two ends of the VPN connection or renegotiation failures due to Internet exceptions.

Common causes for disconnections are as follows:

  • ACLs at both ends of the VPN connection do not match.
  • SA lifetime settings at both ends of the VPN connection are different.
  • DPD is not configured in your on-premises data center.
  • Configuration is modified when the VPN connection is in use.
  • Packets are fragmented because the data size exceeds the MTU.
  • Jitter occurs on the carrier's network.

As such, ensure that the following VPN configurations are correct to keep VPN connections alive:

  • Local and remote subnets are matched pairs.
  • SA lifetime settings at both ends of the VPN connection are the same.
  • DPD is enabled on the on-premises gateway device, and the number of detection times is 5 or more.
  • Parameters are modified at both ends of the VPN connection during the use of the VPN connection.
  • Set TCP MAX-MSS to 1300 for the on-premises gateway device.
  • The bandwidth of the on-premises gateway is large enough to be used by the VPN connection.
  • VPN connection negotiation can be triggered by both ends and active negotiation has been enabled on the on-premises gateway.
  • Ping the subnets at both ends continuously. The script is as follows:
    #!/bin/sh
    host=$1
    if [ -z $host ]; then
        echo "Usage: `basename $0` [HOST]"
        exit 1
    fi
    log_name=$host".log"
    
    while :; do
        result=`ping -W 1 -c 1 $host | grep 'bytes from '`
        if [ $? -gt 0 ]; then
            echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is down"| tee -a $log_name
        else
            echo -e "`date +'%Y/%m/%d %H:%M:%S'` - host $host is ok -`echo $result | cut -d ':' -f 2`"| tee -a $log_name
        fi
    sleep 5 # avoid ping rain
    done
    #./ping.sh x.x.x.x >>/dev/null &
    1. Use the vi editor to copy the preceding script to the ping.sh file.
    2. Run the chmod 777 ping.sh command to grant permissions to the file.
    3. Run the ping command:

      ./ping.sh x.x.x.x >>/dev/null &

      x.x.x.x indicates the IP address to be pinged.

    4. Run the following command:

      tail -f x.x.x.x.log

      You can view the ping result in real time.