Cloud Survivability

Configured tunnels have a definite expiry time, the common default expiry time is 24 hours. During rekeying, if the cloud connection fails, the tunnel keys expire. The expiration of authentication keys causes the tunnels to go offline, resulting in network traffic disruption.

Cloud Survivability mitigates the loss of a tunnel or the IPSec traffic between Aruba devices. These devices have IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnels which are orchestrated by SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Tunnel Orchestration and have a finite key expiry time. If the cloud connection fails for any reason, the devices remain connected through either LAN Local Area Network. A LAN is a network of connected devices within a distinct geographic area such as an office or a commercial establishment and share a common communications line or wireless link to a server. or WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. connections. This feature is available from ArubaOS 8.5.0.0-2.1.0.0 onward.

Devices can also re-establish IPSec tunnels between them based on tunnel configurations which are received from SD-WAN Tunnel Orchestration using legacy IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard./IPSec tunnel establishment. When cloud connectivity failure is detected during the rekeying process, the tunnels seamlessly switch over to legacy IPSec tunnels.

Cloud Survivability is triggered when:

  • Devices on both sides of the tunnel have no connectivity to the Overlay Tunnel Orchestration.
  • Overlay Tunnel Orchestration pushes new keys to the Aruba gateway, but the gateway did not receive the new keys.
  • Overlay Tunnel Orchestration does not push a new key to the gateway.
  • The gateway is unable to bring up the tunnel using the Overlay Tunnel Orchestration keys received.

A maximum of 6000 tunnels per VPNC is supported. The number of supported tunnels also depends on the gateway model.

While monitoring the tunnels, when the tunnels move to a survivability mode the tunnel type is categorized as Orch-Srv. The tunnel status is displayed in the Tunnels monitoring page. For more information, see the Navigating to the WAN Summary Tab.

For more information about orchestrated configuration of IPsec tunnels, see Configuring Overlay Network Using SD-WAN Orchestrator.