Github user swill commented on the issue: https://github.com/apache/cloudstack/pull/872 @jayapalu the issues are harder to notice if the connection is always coming up. The problem is if you do a configuration which the connection does not come up. Because of the logic I pointed out above, the `stopVpnConnection()` function is never called in the java, so the VRs are never directed to remove the S2S VPN configuration from the VR. > Each time we configure the s2s vpn we suppose to overwrite config file (ipsec.vpn-.conf). > Even if the file not got deleted next time the config get overwritten. This is not actually the case. If the Connection state is `Disconnected`, then the config files are not deleted from the VR. In that case, for example, if you had `dpd=true`, then it will add the following items to the config file. ``` dpddelay=30 dpdtimeout=120 dpdaction=restart ``` Now let's assume that we need to set `dpd=false`, so we remove the configuration from ACS ([the files won't get deleted because it is in `Disconnected` state](https://github.com/apache/cloudstack/blob/master/server/src/com/cloud/network/vpn/Site2SiteVpnManagerImpl.java#L520)). Then when the new configuration is applied to the VR, it will see the `dpd=false` and will not attempt to modify those lines. Which means that since the config already had those `dpd` lines in the config, they will not be removed and every config will include those `dpd` config options even though ACS has specified that those config options should not be present. I have updated the java code to delete the configs from the VR even if the connection is disconnected. I will continue testing and will send a PR to your PR soon. I see you have made changes to this PR. Are the changes a result of testing and these changes fix some bad behavior?
--- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---