427 - VPN - VPN IPsec - IPsec Tunnel Status Changed

Alberto · December 2020

I found out from my logs up and down on site to site vpn. What can I check for?

shiprasahu93 · December 2020

@Alberto,

I would suggest looking at the IPSec lifetimes as well as the DPD settings for this one.

Thanks!

[Deleted User] · January 2021

Hi @Alberto ,

Was your issue resolved?

If so please mark the reply as then answer to help other community members find the helpful reply quickly.

Alberto · January 2021

No Philips send me a question. If i have phase 2 for each host. In remote network i have a group with host and network range.

Alberto · January 2021

Can i have in remote network a group with hosts and network ?

shiprasahu93 · January 2021

@Alberto,

Yes, you can. You just need to make sure that this matches exactly to the local network on its peer.

Thanks!

Ajishlal · January 2021

Hi @Alberto

Do you have any upstream switches (ISP) from your Firewall?

If you don't have any upstream switches in both side of the firewall, Please check what @shiprasahu93 suggested.

If you are not adjusted the default IPSEC life time (28800) check the DPD. ‘Dead Peer Detection’, which is a method to determine if the remote peer of a VPN policy is still active. Sometimes these packets get lost, and sometimes the timers are set too short, but the result is the SonicWALL tears down a VPN tunnel that actually had no problems. You can try to fix this by doing two things – you can either shut off DPD on both sides, or you can adjust the DPD timers so that they are less aggressive. For example, to shut off DPD completely, go to the ‘VPN > Advanced’ page and uncheck the box next to ‘Enable IKE Dead Peer Detection’. Make sure to do this on at least one side of the tunnel.