VPN Tunnel Renegotiation Every Morning

tstrip007tstrip007 Posts: 306Member ■■■■□□□□□□
I am not extremely savy with firewalls and was hoping someone here could point me in the right direction.

I have two Sonicwalls that have VPN tunnel connected to a client on each. I know the client has ASA's. For the past few weeks I am having to deactivate and reactivate the policy every morning. Also having to renogiate to get it back working.

Any ideas why this is happening? All my other tunnels work fine all the time.

Appreciate any feedback.

Comments

  • d4nz1gd4nz1g Posts: 464Member
    The tunnel stays down even after trying to generate interesting traffic?
    I dont know about sonicwall, but cisco gear only brings the tunnel up when traffic is detected, and after some time with no traffic over the tunnel, it is brought down.
  • tstrip007tstrip007 Posts: 306Member ■■■■□□□□□□
    Thanks d4nz. Then I guess that explains what is happening right? How would I go about instructing them to disable that in their ASA so that it is up all the time?
  • jmasterj206jmasterj206 Posts: 471Member
    In the sonicwall there is an option to enable keep alive that will keep the tunnel active and listening for traffic, but I am not exactly sure that is your issue. Like d4nz1g asked the tunnel stays down after generating interesting traffic? Can you ping a device on the other end of the tunnel and will the tunnel come up?

    "Enable Keep Alive - Allows the VPN tunnel to remain active or maintain its current connection by listening for traffic on the network segment between the two connections. Interruption of the signal forces the tunnel to renegotiate the connection."
    WGU grad
  • tstrip007tstrip007 Posts: 306Member ■■■■□□□□□□
    I have keep alive enabled on the policies. My users are trying to access a website in the morning and cant access it until i renogiate the connection or deactive, reactivate. The website is on the client webserver we have access too via tunnel of course. I havn't tried pinging the gateway or ip we have access to but wouldnt my users attempting to access the website be considered "generating interesting traffic"?
  • d4nz1gd4nz1g Posts: 464Member
    tstrip007 wrote: »
    I have keep alive enabled on the policies. My users are trying to access a website in the morning and cant access it until i renogiate the connection or deactive, reactivate. The website is on the client webserver we have access too via tunnel of course. I havn't tried pinging the gateway or ip we have access to but wouldnt my users attempting to access the website be considered "generating interesting traffic"?

    Interesting...Look, for me it seems that one side is stuck with the "old" tunnel up, while the other side brought it down already.
    Is it possible to schedule a troubleshoot session with your partner? Check the behavior on both sides before resetting the tunnel.
    Also, check for logs in the ASA looking for encrypted traffic, it always helps a lot (not familiar with sonicwall here).

    Also, you can check the encaps/decaps and phase 2 status and try to find any abnormalities on the traffic over the tunnel.
  • tstrip007tstrip007 Posts: 306Member ■■■■□□□□□□
    Gotcha... thanks for the feedback d4 and jmaster
  • EdificerEdificer Posts: 185Member
    when I am trying to figure out and troubleshoot ASAs I always use the sh crypto isakmp sa and compare the isakmp state to this picture:
    http://www.tunnelsup.com/images/IKE_Phase1_MSGs.png

    (as mentioned by d4nz1g)

    The vpn lifetime on cisco ASAs are 86400 seconds (1 day) by default. What are the default security associations on Sonicwall firewalls?

    Also,

    clear crypto isakmp sa
    clear crypto ipsec sa


    Drops the VPN momentarily, occasionally used for troubleshooting
    “Our greatest glory is not in never falling, but in rising every time we fall.” ― Confucius
  • d4nz1gd4nz1g Posts: 464Member
    sh cry ipsec sa helps tshooting phase 2 issues too (you actually sees what is being encrypted/decrypted)

    have you had any issues this morning? did you get any logs, or something you can share?
  • EdificerEdificer Posts: 185Member
    Nice. Also, if in AggresiveMode make sure port 500 UDP is listening on responder endpoint. Correct me if I am wrong, d4nz1g.
    “Our greatest glory is not in never falling, but in rising every time we fall.” ― Confucius
Sign In or Register to comment.