Intermittent VPN Flapping Issues

VPN flapping refers to a situation where a VPN connection repeatedly goes up and down. It frequently establishes and then quickly loses connectivity. This can happen in site-to-site VPNs, remote access VPNs, or any other type of VPN tunnel. In this blog, we will learn about intermittent VPN flapping issues, causes of intermittent flapping and the ways to diagnose and troubleshoot.

Businesses use VPN to grant remote workers secure connectivity to office applications. The VPNs create an encrypted tunnel over a public network – Internet. VPNs are used to improve security and access company resources in a secure manner. Like any other component VPNs do face the issue of repeated drops or reconnects which could stem from a variety of reasons such as the network is unstable due to ISP issues, misconfigured settings, VPN protocol issues etc. 

What is VPN Flapping

Intermittent connection and disconnection of VPN could happen which causes instability could happen due to a variety of reasons. The data packets are being lost or delays will occur between your system and VPN server. This could be due to a variety of reasons such as problematic connection, VPN client or router.

Causes of VPN connection Issues

Let’s look at possible causes of instability issues in VPN connections more in detail. 

Network Issues 

• Unstable internet connection – congestion and intermittent packet loss on Internet path can cause flapping 
• Routing issues – path failures or change in routing paths causes disruption in VPN connectivity
• Firewall interference – AV programs or firewall might be blocking VPN traffic 

Misconfigured VPN 

• Incorrect IP address or subnet – local and remote subnets on both ends of VPN tunnel are identical with expected CIDR
• Encryption algorithms incompatibility – encryption algorithms (phase 1 and phase 2) are compatible at both ends of VPN tunnel
• Incorrect lifetime settings for Phase 1 and phase 2 lifetimes are configuration correctly and phase 1 has to have longer lifetime then phase 2 
• Dead peer detection – dead peer detection (DPD) required to be disabled in case using multi-vendor firewalls
• Proxy ID mismatch – proxy-id value on SRX series firewall and peer VPN device must match 

Hardware or Software Problems

• Hardware failures – failure of hardware can cause VPN instability
• Software issues – outdated VPN software or bugs in VPN client software could cause the instability issues
• Stale security associates (SSA)- tunnels can flap due to stale security associates 

How to diagnose and troubleshoot VPN flapping issues?

• Verify VPN configuration such as IP address, subnets, encryption algorithms) are same at both end of VPN tunnel 
• Verify phase 1 and 2 lifetime settings
• Disable dead peer detection while using firewalls from different vendors
• Perform ping tests to test VPN peer public IP address for connectivity and loss of packet
• Use traceroute command to diagnose any network issues between VPN peers
• Check your ISP internet connection for stability 
• Check VPN logs of both side of tunnel and look for any error messages indicating potential cause of flapping 
• Examine firewall logs and AV logs to verify any blocked traffic
• Ensure VPN client software is latest and up to date
• For suspected stale security associates (SSA) clear (ISAKMP) and IPSec security associations

ABOUT THE AUTHOR

Rashmi Bhardwaj

Founder of AAR TECHNOSOLUTIONS, Rashmi is an evangelist for IT and technology. With more than 12 years in the IT ecosystem, she has been supporting multi domain functions across IT & consultancy services, in addition to Technical content making.

You can learn more about her on her linkedin profile – Rashmi Bhardwaj