Table of Contents
VPN flapping refers to a situation where a VPN connection repeatedly goes up and down. It frequently establishes and then quickly loses connectivity. This can happen in site-to-site VPNs, remote access VPNs, or any other type of VPN tunnel. In this blog, we will learn about intermittent VPN flapping issues, causes of intermittent flapping and the ways to diagnose and troubleshoot.
Businesses use VPN to grant remote workers secure connectivity to office applications. The VPNs create an encrypted tunnel over a public network – Internet. VPNs are used to improve security and access company resources in a secure manner. Like any other component VPNs do face the issue of repeated drops or reconnects which could stem from a variety of reasons such as the network is unstable due to ISP issues, misconfigured settings, VPN protocol issues etc.
What is VPN Flapping
Intermittent connection and disconnection of VPN could happen which causes instability could happen due to a variety of reasons. The data packets are being lost or delays will occur between your system and VPN server. This could be due to a variety of reasons such as problematic connection, VPN client or router.

Causes of VPN connection Issues
Let’s look at possible causes of instability issues in VPN connections more in detail.
Network IssuesÂ
- Unstable internet connection – congestion and intermittent packet loss on Internet path can cause flappingÂ
- Routing issues – path failures or change in routing paths causes disruption in VPN connectivity
- Firewall interference – AV programs or firewall might be blocking VPN trafficÂ
Misconfigured VPNÂ
- Incorrect IP address or subnet – local and remote subnets on both ends of VPN tunnel are identical with expected CIDR
- Encryption algorithms incompatibility – encryption algorithms (phase 1 and phase 2) are compatible at both ends of VPN tunnel
- Incorrect lifetime settings for Phase 1 and phase 2 lifetimes are configuration correctly and phase 1 has to have longer lifetime then phase 2Â
- Dead peer detection – dead peer detection (DPD) required to be disabled in case using multi-vendor firewalls
- Proxy ID mismatch – proxy-id value on SRX series firewall and peer VPN device must matchÂ
Hardware or Software Problems
- Hardware failures – failure of hardware can cause VPN instability
- Software issues – outdated VPN software or bugs in VPN client software could cause the instability issues
- Stale security associates (SSA)- tunnels can flap due to stale security associatesÂ
How to diagnose and troubleshoot VPN flapping issues?
- Verify VPN configuration such as IP address, subnets, encryption algorithms) are same at both end of VPN tunnelÂ
- Verify phase 1 and 2 lifetime settings
- Disable dead peer detection while using firewalls from different vendors
- Perform ping tests to test VPN peer public IP address for connectivity and loss of packet
- Use traceroute command to diagnose any network issues between VPN peers
- Check your ISP internet connection for stabilityÂ
- Check VPN logs of both side of tunnel and look for any error messages indicating potential cause of flappingÂ
- Examine firewall logs and AV logs to verify any blocked traffic
- Ensure VPN client software is latest and up to date
- For suspected stale security associates (SSA) clear (ISAKMP) and IPSec security associations
ABOUT THE AUTHOR

You can learn more about her on her linkedin profile – Rashmi Bhardwaj