Dynamic VPN Tunnels Overview
In releases earlier than CSO 4.1.0, static tunnels are established between spoke sites during the Zero Touch Provisioning (ZTP) process.
Starting with Release 4.1.0, during ZTP only the following static tunnels are established:
Between an on-premise spoke site and the corresponding gateway site
Between an on-premise spoke site and hub (Primary hub or secondary hub)
Between two gateway sites
Therefore, the communication between two on-premise spoke sites is established only through the gateway site or the hub.
CSO can dynamically creates or deletes a VPN tunnel between two spoke sites (without passing through a gateway site or hub), if:
The number of sessions closed between two spoke sites crosses the threshold value, and
The WAN links of spoke sites have matching mesh tags.
This feature is applicable only for SD-WAN sites in Real Time-Optimized mode (Full mesh).
The default threshold value for creating a dynamic VPN tunnel (maximum number of sessions closed in a two-minute duration) is 5. The default threshold value for deleting a dynamic VPN tunnel (minimum number of sessions closed in a 15-minute duration) is 2.
The tenant administrator can modify the default threshold value on the following pages:
The Administration > Dynamic VPN page of Customer portal (Global Level)
The Add On-Premise Spoke Site page (Site-level)
The Add Gateway Site page (Site-level)
The threshold value that you specify at site-level takes precedence over the global-level threshold values.
That is, the threshold value that you specify on the Add Site page (On-premise or gateway) overrides the threshold value that you specified on the Dynamic VPN page of Customer Portal.
CSO also provides the flexibility for the tenant administrator to create or delete dynamic VPN tunnels between a source site and a destination site by using the CSO GUI in Customer Portal.