When two peers communicate through VPN tunnels using IKE and IPSEC, the connectivity between both peers can unexpectedly be interrupted. Such a situation may arise due to routing problems, the reboot of a host, etc. In these cases, IKE and IPSEC in general do not provide a way of knowing the peer’s connectivity status, so Security Associations (SA) continue operating until the expiry of their lifetimes. This results in a “black hole” situation where packets are lost as they continue to be sent through the tunnel without reaching their destination.
Detecting these situations soonest possible is essential, so that an entity can attempt a new connection with the entity that is no longer responding, switch to a different peer or retrieve lost data.