Phase2 VPN dropping

We have a number of subnets between 2 site to site VPNs and we are seeing the occasional phase 2 drop, or hang. Both firewalls are showing the connection up, but traffic isn't passing. Hitting the renegotiate button resolves the issue. This has caused some significant distress, and we missed it the first couple of times troubleshooting, because everything is showing up and running in the firewall GUI. Other phase 2 connections on the same VPN Policy remain connected.
I'm looking for what to troubleshoot so we can avoid these outages.
VPNs between NSa 3650 and NSa 4600, both running SonicOS Enhanced
Hello @shultis,
If the VPN itself it not dropping, I would suggest making sure that the lifetimes on both ends are matching correctly. Also, please make sure that Keep alive is enabled on only one end.
If this issue re-occurs please perform a packet capture on both ends to see why the traffic isn't passing.
Shipra Sahu
Technical Support Advisor, Premier Services
I've enabled keep-alive on one side, (it was not enabled) and confirmed the timeouts are matching. Shouldn't the phase 2 reconnect as soon as traffic attempts to pass, even if keep-alive is not enabled?
After enabling keep-alive on one side of the site to site VPN, and confirming it was off on the other side, we started seeing much more frequent drops on the connection, impacting a majority of users. I have disabled the keep-alive and things appear to be back to normal. I have opened a ticket with support, but any insight here would be appreciated.
The purpose of the keep alive is to start the VPN negotiation. We want that on only one end so that the other end understands it is a responder and there is no problem is creating the keys.
It is important to find out the reason using the packet capture to see why the traffic stops flowing. Are you seeing anything in logs or packet capture while the traffic is not flowing?
Shipra Sahu
Technical Support Advisor, Premier Services