Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

TZ670/TZ370 - Site to Site VPN - random drop outs

snickollssnickolls Newbie ✭
in Entry Level Firewalls

Hey guys,

Many of you had issues with random drop outs with the site to site VPN connection ?
I logged a ticket with SonicWALL support, but there high level engineer kinda responded with "we dont know how to resolve your issue" .

I have a TZ670 host at HQ, and TZ370 units at the remote site(S).
All sites are using 1GB Lease Lines. (I do have 2 more of these at sites which use Broadband lines, without issue)

The internet connection at all sites is 100% up (no disconnects)

at Random times, the VPN tunnel will drop out, and then 15 - 30 seconds later, auto re-establishes the connection.
The Log shows: (on the remote side)

Receive IPsec Delete Request
seconds before the tunnel drops..
I dont see the same thing on the TZ670 host though.

I can add more info, but the main thing i am looking for is anyone else been in same situation where VPN drops (and auto reconnects), yet internet connection is fine.

Category: Entry Level Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    snickollssnickolls Newbie ✭
    Answer ✓

    Hey all,
    Issue resolved:
    The support guy suggested an option, which is kind of the opposite of what you would do when working with connections that are both on Lease Lines, static IP, etc ….

    Support guys suggested changing the IKE Phase 1 / Exchange:
    Change it from MAIN MODE , to AGGRESSIVE .

    How bizarre, did that, and connection is now stable.

    My Phase 2 life time was 3600 seconds (1hr), and it was every hour, the connection dropped, almost like in "Main Mode", the remote firewall forgot it had a VPN with the HQ, then forgot what key it used the hour before (laymens terms) ….

    Oh well….
    Rule of thumb: always try different VPN modes instead of the recommended setup based on the network.

Answers

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    The IKE SA delete is part of the IPSEC protocol.

    Check your P1 and P2 timings, Phase 1 should be greater than P2 as the P2 is inside the P1 tunnel.

    Try 28800sec (8Hr) for P1 and 3600sec (1Hr) for P2 on both sides of the VPN

  • snickollssnickolls Newbie ✭
    edited December 9

    Hiya
    I have the same settings on both the TZ370 / TZ670 (latest general release firmware)
    VPN Policy - Proposals
    IKE Phase 1
    Exchange: Main Mode
    DH Group: Group 14
    Encryption: AES-128
    Authentication: SHA256
    Life Time: 28800

    IPSEC Phase 2
    Protocol: ESP
    Encryption: AES-128
    Authentication: SHA256
    Enable Perfect forward Secrecy: OFF
    Life Time: 28800

    On the Advanced tab, "Enable Keep Alive" is ON (this on the TZ370, the remote site).
    On the General TAB, i am using "Firewall Identifier for Local/Peer IKE ID)
    Along with IKE using preshared Secret.

    Shame i cant post the log file on here (I got the same time window, on both the HQ & Remote firewall, in terms of the entries created when the VPN drops)…



  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    P1 and P2 timings are clashing, you've used the "defaults"

    Change the timings!

  • snickollssnickolls Newbie ✭

    ok….
    So set "Life Time" on IPSEC (Phase 2) Proposal, change this to 3600 ?

  • snickollssnickolls Newbie ✭

    Sorry,
    My bad:
    I was looking at a screenshot i had taken last week when i wrote about the P1 / P2 timings…
    I have P1 time set to: 28800 (Default)
    Under IPSEC (Phase 2) ,
    For Life Time, i have: 3600

Sign In or Register to comment.