Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

VPN Tunnel to Remote Cisco Devices Disconnects Multiple Times a day

the NSA4600 has 2x tunnels connected, 1x to azure and 1x to a RV260W. All devices show the tunnel is up, but all network traffic, including ICMP, RDP, Fileshare just stops between the NSA4600 and the RV260W.

Cisco is saying some VPN setting is off, however when i did a stare and compare with both devices i do not see any mismatch settings.

this happens multiple times a day. To solve the issue each time i have to login to the NSA and renegotiate the connection. Doing anything from the cisco side does not have an effect.


Here is a basic Topo diagram; unsure what else to check at this point its driving me crazy.


Category: Mid Range Firewalls
Reply
Tagged:

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Post your sanitized VPN configs, otherwise were blind to help...

  • MLegerMLeger Newbie ✭

    Here are the settings as requested, let me know if i've missed something


    [X] is something enabled, [] is something not enabled. same with (*) and (), where i refrence IP1 is the same ip address.


    Sonicwall


    VPN > Base Settings > Policies > Colo to Office


    [General]

    Security Policy

    Policy Type: Site to Site

    Auth Method: IKE using P reshared Secret

    Name: Colo to Office

    IPsec Primary GW Name or Address: Public of Office

    IKEAuth

    Local IKE ID: IPv4 Address: IP1

    Peer IKE ID: IPv4 Address: Public of Office

    [Network]

    Local Networks: Chose from local network list: Colo LANs

    Remote Networks: Chose destnation network from list: Office LAN

    [Proposals]

    IKE Phase 1

    Exhcnage: IKEv2 Mode

    DH Group: Group 2

    Encryption: AES-128

    Authentication: SHA1

    Life Time (seconds): 28800

    Ipsec (Phase 2) Proposal

    Protocol: ESP

    Encryption: AES-128

    Authentication: SHA1

    Perfect Forward Secrecy not enabled

    Life Time Seconds: 28800

    [Advanced]

    [X] Enable Keep Alive  

    [] Suppress automatic Access Rules creation for VPN Policy

    [] Disable IPsec Anti-Replay

    [] Enable Windows Networking (NetBIOS) Broadcast

    [] Enable Multicast

    WXA Group: None

    [] Display Suite B Compliant Algorithms Only

    [] Apply NAT Policies

    [] Allow SonicPointN Layer 3 Management

    Management via this SA: <Nothing Enabled> 

    User login via this SA: <Nothing Enabled>

    Default LAN Gateway (Optional): 0.0.0.0

    VPN Policy bound to: Zone WAN

    IKEv2 Settings

    [] Do not send trigger packet during IKE SA negotiation 

    [] Accept Hash & URL Certificate Type

    [] Accept Hash & URL Certificate Type Send Hash & URL Certificate Type


    VPN > Advanced VPN Settings


    [X] Enable IKE Dead Peer Detection

    Dead Peer Detection Interval (seconds) - 60

    Failure Trigger Level (missed heartbeats) - 3

    [] Enable Dead Peer Detection for Idle VPN sessions

    Dead Peer Detection Interval for Idle VPN sessions (seconds) - 600

    [X] Enable Fragmented Packet Handling

     [] Ignore DF (Don't Fragment) Bit

    [X] Enable NAT Traversal

    [X] Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address

    [] Enable OCSP Checking

    [] Send VPN Tunnel Traps only when tunnel status changes

    [] Use RADIUS in (*) MSCHAP () MSCHAPv2 mode for XAUTH (allows users to change expired passwords) 

    DNS and WINS Server Settings for VPN Client [ Inherit DNS Settings Dynamically from the SonicWall's DNS settings]

    IKEv2 Settings

    [] Send IKEv2 Cookie Notify

    [X] Send IKEv2 Invalid SPI Notify [DH Group: Group 2, Encryption: 3DES, Authentication: SHA1]


    Cisco


    VPN > IPSec VPN > IPSec Profiles


    Profile Name: Colo

    Keying Mode: Auto

    IKE Version: IKEv2

    Phase 1 Option

    DH Group: Group2 - 1024 bits

    Encrption: AES-128

    Authentication: SHA1

    SA Lifetime: 28800

    Phase 2 Option

    Protocol: ESP

    Encryption: AES-128

    Authentication: SHA1

    SA lIFETIME: 2800

    Perfect Forward Secrecy [] Enable (not checked)

    DH Group: Group2 - 1024 bit


    VPN > IPSec VPN > Site-to-Site


    Enabled [X]

    Connection Name: Colo

    IPSec Profile: Colo

    Interface: WAN

    Remote Endpoint: Static IP: IP1

    Local IKE Authenication Method

    Pre-Shared Key

    Minimum Preshared Key Complexity [X] enabled

    Remote IKE Authentication Method

    Pre-Shared Key

    Minimum Preshared Key Complexity [X] enabled

    Local Group Setup

    Local Identifier Type: Local WAN IP

    Local Identifier <Office Public IP>

    Local IP Type: Subnet

    IP Address <Office LAN>

    Subnet Mask <Office LAN>

    Remote Group Setup

    Remote Identifier Type: Remote WAN IP

    Remote Identifier: IP1

    Remote IP Type: IP Group

    IP Group: COLO_LAN_Group

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Cleanup for readability...

    Sonicwall

    Mode: IKE using PSK

    Gateway: (Cisco WAN IP); PSK: (***********); Local IKE ID: (IP1) [* What does IP1 mean / contain? *]; Remote IKE ID: (Cisco WAN IP)

    Encryption domain: Local: (Colo LANs) [* What does this address group contain and what Zone(s)? *]; Remote: (Office LAN) [* VPN zone I hope... *]

    Phase 1: Exchange: IKEv2; DH Group: Group 2; Encryption: AES-128; Authentication: SHA1; Life Time: 28800

    Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; Life Time: 28800

    Keep Alive: Enabled


    Cisco

    Mode: IKE using PSK

    Gateway: (IP1) [* Again what is IP1? *]; PSK: (**********); Local IKE ID: (Local WAN IP); Remote IKE ID: (IP1) [* Again what is IP1? *]

    Encryption domain: Local: (Office LAN); Remote: (COLO_LAN_GROUP) [* What does this contain? *]

    Phase 1: Exchange: IKEv2; DH Group: Group2; Encryption: AES-128; Authentication: SHA1; SA Lifetime: 28800

    Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; SA LIFETIME: 2800 [* IS THIS A TYPO? *]


    If the SA Lifetime on phase2 of the Cisco is not a typo than that is likely your issue.

    It helps to cleanup your posts and provide sanitized IP addresses / subnets.

  • MLegerMLeger Newbie ✭

    I appreciate there response and patience on this, I'm not a expert on these I'm just the tech stuck reaching out for support. 

    * What does IP1 mean / contain? *];

    > It means this same IPaddress is configured on both devices - 4.78.61.102

    Encryption domain: Local: (Colo LANs) [* What does this address group contain and what Zone(s)? *]; Remote: (Office LAN) [* VPN zone I hope... *]

    Colo LANs

    In Group

    - LAN Subnets [192.168.200.0/255.255.255.0]

    - SSL VPN Range [Zone: SMA, Type: Network, Network 192.168.203.0, Netmask 255.255.255.0]

    Address Group: Office LAN

    Zone Assignment: LAN

    Type: Network

    Network: 10.0.0.0

    Netmask: 255.255.0.0

    Cisco

    Gateway: (IP1) [* Again what is IP1? *]; PSK: (**********); Local IKE ID: (Local WAN IP); Remote IKE ID: (IP1) [* Again what is IP1? *]

    > IP1 = 4.78.61.102

    Encryption domain: Local: (Office LAN); Remote: (COLO_LAN_GROUP) [* What does this contain? *]

    > here are the settings

    colo_lan_group

     subnet 192.168.200.0/24

     subnet 192.168.203.0/24

    local

     subnet 10.0.0.16

    Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; SA LIFETIME: 2800 [* IS THIS A TYPO? *]

    > 28800 is the proper entry, this was a type on my end.

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    @MLeger

    Increase the both end life time 28800 to 86400 and observe the behavior.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Mode: IKE using PSK

    Gateway: (Cisco WAN IP); PSK: (***********); Local IKE ID: 4.78.*.* ; Remote IKE ID: (Cisco WAN IP)

    Encryption domain:

    Local: 192.168.200.0 /24 (LAN Zone); 192.168.203.0 /24 (SMA Zone)

    Remote: 10.0.0.0 /16 (LAN Zone) [* This should be in the VPN zone as it is used for a VPN *]

    Phase 1: Exchange: IKEv2; DH Group: Group 2; Encryption: AES-128; Authentication: SHA1; Life Time: 28800

    Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; Life Time: 28800

    Keep Alive: Enabled


    Cisco

    Mode: IKE using PSK

    Gateway: 4.78.*.* ; PSK: (**********); Local IKE ID: (Local WAN IP); Remote IKE ID: 4.78.*.*

    Encryption domain:

    Local: 10.0.0.16 [* Is this a typo?? *]

    Remote: 192.168.200.0 /24; 192.168.203.0 /24

    Phase 1: Exchange: IKEv2; DH Group: Group2; Encryption: AES-128; Authentication: SHA1; SA Lifetime: 28800

    Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; SA LIFETIME: 28800


    As Ajishlal mentioned, sometimes adjusting lifetimes helps Ciscos connect. Do you control the Cisco device? Try adjust phase 1 lifetimes to 3600 and phase 2 lifetimes to 86400 if you still do not have a connection.

Sign In or Register to comment.