Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Dynamic VPN Tunnels Overview

 

In releases earlier than CSO 4.1.0, static tunnels are established between spoke sites during the Zero Touch Provisioning (ZTP) process.

Starting with Release 4.1.0, during ZTP only the following static tunnels are established:

  • Between an on-premise spoke site and the corresponding gateway site

  • Between an on-premise spoke site and hub (Primary hub or secondary hub)

  • Between two gateway sites

Therefore, the communication between two on-premise spoke sites is established only through the gateway site or the hub.

CSO can dynamically creates or deletes a VPN tunnel between two spoke sites (without passing through a gateway site or hub), if:

  • The number of sessions closed between two spoke sites crosses the threshold value, and

  • The WAN links of spoke sites have matching mesh tags.

Note

This feature is applicable only for SD-WAN sites in real-time optimized mode (Full mesh).

The default threshold value for creating a dynamic VPN tunnel (maximum number of sessions closed in a two-minute duration) is 5. The default threshold value for deleting a dynamic VPN tunnel (minimum number of sessions closed in a 15-minute duration) is 2.

The SP administrator, operating company (OpCo) administrator, or tenant administrator can modify the default threshold value on the following pages:

  • The Administration > Dynamic VPN page of Administration portal (Global Level)

  • The Add Tenant page (Tenant-level)

  • The Administration > Dynamic VPN page of Customer portal (Global Level)

  • The Add On-Premise Spoke Site page (Site-level)

  • The Add Gateway Site page (Site-level)

The threshold value that you specify at site-level takes precedence over the tenant-level and global-level threshold values.

That is, the threshold value that you specify on the Add Tenant page overrides the threshold value that you specified on the Dynamic VPN page of Administration Portal.

Similarly, the threshold value that you specify in the Add Site page overrides the threshold value that you specified on the Dynamic VPN page and Add Tenant page.

CSO also provides the flexibility for the SP administrator, OpCo administrator, or the tenant administrator to create or delete dynamic VPN tunnels between a source site and a destination site by using the CSO GUI in Customer Portal.