Aggressive Mode VPNs aren't staying up
We have 10 TZ3xx series firewalls for remote workers. Each connects to a Palo Alto at one location to access company resources, and to a Palo Alto at a second location so the network team can manage the TZs remotely. We're not seeing issues on the first connection, because there is constant traffic between the remote workstation and the domain controllers.
The issue is with the link to the second location for management. There is no traffic between PA and the remote sonicwalls on this VPN until we need to manage one of them.
-- All of the TZs are behind a natted router, (home internet connection)
-- All of the TZs are configured for Aggressive Mode VPN
-- All of the TZs have "keep alive" selected for the VPN
-- All of the TZs have the VPN configured as a "Tunnel Interface" with a static route configured
-- Phase 1 and Phase 2 IKE lifetimes are 28800 seconds on all fo the TZs and on the PAs
-- Access to the remote sonicwall drops within minutes if there's no traffic between the firewalls
-- Generating traffic from the remote site (having the end user ping) will immediately reestablish the VPN
I submitted a ticket, and support said, the TZ we tested on was 1 rev. behind, and needed to be on the latest firmware before we could continue troubleshooting. Fair enough... I upgraded 2 of the remote TZs, and we're seeing the same symptoms.
My understanding is that the firewall in aggressive mode is responsible for maintaining the VPN, and the "Keep Alive" setting is specifically designed to send a small amount of traffic to maintain the VPN.
Since I'm seeing the same symptoms on different TZs, across 3 versions (including the lastest) of the firmware, it seems like a configuration issue, or a bug, rather than an issue with a specific TZ
The support rep said we should review the Palo Alto configuration for the VPNs. But, if the firewall in aggressive mode is responsible for maintaining the connection, and a simple ping will reestablish it, I don't see how it's possible that the Palo Alto (or any other firewall) could be responsible for the connection dropping.
The other question I was asked, is can't you just generate some traffic when you need to access the remote firewall? Is there another way to get to them, through the other VPN?
The answer is yes to both questions, (or the TZs would have already been dumped in the bin), but that's not the point. The firewall is supposed to be doing something that it isn't doing.
I'm hoping maybe someone here knows of a way to force aggressive mode with keep alive to actually keep the connection alive, or tell me how i"m being stupid, and not doing it right. Either would be welcome! :)