VPN Tunnel Renegotiation Every Morning

tstrip007

I am not extremely savy with firewalls and was hoping someone here could point me in the right direction.

I have two Sonicwalls that have VPN tunnel connected to a client on each. I know the client has ASA's. For the past few weeks I am having to deactivate and reactivate the policy every morning. Also having to renogiate to get it back working.

Any ideas why this is happening? All my other tunnels work fine all the time.

Appreciate any feedback.

d4nz1g

The tunnel stays down even after trying to generate interesting traffic?
I dont know about sonicwall, but cisco gear only brings the tunnel up when traffic is detected, and after some time with no traffic over the tunnel, it is brought down.

tstrip007

Thanks d4nz. Then I guess that explains what is happening right? How would I go about instructing them to disable that in their ASA so that it is up all the time?

jmasterj206

In the sonicwall there is an option to enable keep alive that will keep the tunnel active and listening for traffic, but I am not exactly sure that is your issue. Like d4nz1g asked the tunnel stays down after generating interesting traffic? Can you ping a device on the other end of the tunnel and will the tunnel come up?

"Enable Keep Alive - Allows the VPN tunnel to remain active or maintain its current connection by listening for traffic on the network segment between the two connections. Interruption of the signal forces the tunnel to renegotiate the connection."

tstrip007

I have keep alive enabled on the policies. My users are trying to access a website in the morning and cant access it until i renogiate the connection or deactive, reactivate. The website is on the client webserver we have access too via tunnel of course. I havn't tried pinging the gateway or ip we have access to but wouldnt my users attempting to access the website be considered "generating interesting traffic"?

d4nz1g

tstrip007 wrote: »

I have keep alive enabled on the policies. My users are trying to access a website in the morning and cant access it until i renogiate the connection or deactive, reactivate. The website is on the client webserver we have access too via tunnel of course. I havn't tried pinging the gateway or ip we have access to but wouldnt my users attempting to access the website be considered "generating interesting traffic"?

Interesting...Look, for me it seems that one side is stuck with the "old" tunnel up, while the other side brought it down already.
Is it possible to schedule a troubleshoot session with your partner? Check the behavior on both sides before resetting the tunnel.
Also, check for logs in the ASA looking for encrypted traffic, it always helps a lot (not familiar with sonicwall here).

Also, you can check the encaps/decaps and phase 2 status and try to find any abnormalities on the traffic over the tunnel.

tstrip007

Gotcha... thanks for the feedback d4 and jmaster

Edificer

when I am trying to figure out and troubleshoot ASAs I always use the sh crypto isakmp sa and compare the isakmp state to this picture:
http://www.tunnelsup.com/images/IKE_Phase1_MSGs.png

(as mentioned by d4nz1g)

The vpn lifetime on cisco ASAs are 86400 seconds (1 day) by default. What are the default security associations on Sonicwall firewalls?

Also,

clear crypto isakmp sa
clear crypto ipsec sa

Drops the VPN momentarily, occasionally used for troubleshooting

d4nz1g

sh cry ipsec sa helps tshooting phase 2 issues too (you actually sees what is being encrypted/decrypted)

have you had any issues this morning? did you get any logs, or something you can share?

Edificer

Nice. Also, if in AggresiveMode make sure port 500 UDP is listening on responder endpoint. Correct me if I am wrong, d4nz1g.