Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Dynamic VPN Tunnels Overview


In releases earlier than CSO 4.1.0, all static tunnels are established between spoke sites during the Zero Touch Provisioning (ZTP) process.

However starting with Release 4.1.0, during ZTP, only the following static tunnels are established:

  • Between an on-premise spoke site and the corresponding enterprise hub (primary enterprise hub or secondary enterprise hub)

  • Between an on-premise spoke site and the provider hub (primary provider hub or secondary provider hub)

  • Between two enterprise hubs

Therefore, the communication between two on-premise spoke sites is established only through the enterprise hub or the provider hub.

CSO dynamically create or delete a VPN tunnel (without passing through an enterprise hub or a provider hub) between two spoke sites, if:

  • The number of sessions closed between two spoke sites crosses the configured threshold value, and

  • The WAN links of spoke sites have matching mesh tags. For more information, see Mesh Tags Overview.


The dynamic VPN feature is applicable only for SD-WAN sites in Real Time-Optimized mode (Full mesh).

The tenant administrator can modify the default threshold value on the following pages:

  • The Administration > Dynamic VPN page of Customer portal (Global Level)

  • The Add On-Premise Spoke Site page (Site-level)

  • The Add Enterprise Hub page (Site-level)

The threshold value that you specify at site-level takes precedence over the global-level threshold values.

That is, the threshold value that you specify on the Add Site page (On-premise or gateway) overrides the threshold value that you specified on the Dynamic VPN page of Customer Portal.

CSO allows you to manually create or delete dynamic VPN tunnels between a source site and a destination site by using the Add On-Demand VPN Tunnel or Delete On-Demand VPN Tunnel pages in Customer Portal.