Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure settings for VPN monitoring.



Specify the destination of the Internet Control Message Protocol (ICMP) pings. If this statement is used, the device uses the peer's gateway address by default.


Specify that VPN monitoring optimization is enabled for the VPN object. When VPN monitoring optimization is enabled, the SRX Series Firewall only sends ICMP echo requests (pings) when there is outgoing traffic and no incoming traffic from the configured peer through the VPN tunnel. If there is incoming traffic through the VPN tunnel, the SRX Series Firewall considers the tunnel to be active and does not send pings to the peer.

Because ICMP echo requests are only sent when needed to determine peer liveliness, VPN monitoring optimization can save resources on the SRX Series Firewall. Also, ICMP echo requests can activate costly backup links that would otherwise not be used.

This option is disabled by default.


Specify the source interface for ICMP requests (VPN monitoring “hellos” ). If no source interface is specified, the device automatically uses the local tunnel endpoint interface.


Specify the verification path to verify the IPsec datapath before the secure tunnel (st0) interface is activated and route(s) associated with the interface are installed in the Junos OS forwarding table.

  • destination-ip ip-address—Original, untranslated IP address of the peer tunnel endpoint that is behind a NAT device. This IP address must not be the NAT translated IP address. This option is required if the peer tunnel endpoint is behind a NAT device. The verify-path ICMP request is sent to this IP address so that the peer can generate an ICMP response.

  • packet-size bytes—(Optional) The size of the packet that is used to verify an IPsec datapath before the st0 interface is brought up. The packet size must be lower than the path maximum transmission unit (PMTU) minus tunnel overhead. The packet used for IPsec datapath verification must not be fragmented. The range of the packet size is 64 to 1350 bytes and the default packet size value is 64 bytes

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5. verify-path keyword and destination-ip added in Junos OS Release 15.1X49-D70. packet-size option added in Junos OS Release 15.1X49-D120.