VPN Tunnel to Remote Cisco Devices Disconnects Multiple Times a day
MLeger
Newbie ✭
the NSA4600 has 2x tunnels connected, 1x to azure and 1x to a RV260W. All devices show the tunnel is up, but all network traffic, including ICMP, RDP, Fileshare just stops between the NSA4600 and the RV260W.
Cisco is saying some VPN setting is off, however when i did a stare and compare with both devices i do not see any mismatch settings.
this happens multiple times a day. To solve the issue each time i have to login to the NSA and renegotiate the connection. Doing anything from the cisco side does not have an effect.
Here is a basic Topo diagram; unsure what else to check at this point its driving me crazy.
Category: Mid Range Firewalls
Tagged:
0
Answers
Post your sanitized VPN configs, otherwise were blind to help...
Here are the settings as requested, let me know if i've missed something
[X] is something enabled, [] is something not enabled. same with (*) and (), where i refrence IP1 is the same ip address.
Sonicwall
VPN > Base Settings > Policies > Colo to Office
[General]
Security Policy
Policy Type: Site to Site
Auth Method: IKE using P reshared Secret
Name: Colo to Office
IPsec Primary GW Name or Address: Public of Office
IKEAuth
Local IKE ID: IPv4 Address: IP1
Peer IKE ID: IPv4 Address: Public of Office
[Network]
Local Networks: Chose from local network list: Colo LANs
Remote Networks: Chose destnation network from list: Office LAN
[Proposals]
IKE Phase 1
Exhcnage: IKEv2 Mode
DH Group: Group 2
Encryption: AES-128
Authentication: SHA1
Life Time (seconds): 28800
Ipsec (Phase 2) Proposal
Protocol: ESP
Encryption: AES-128
Authentication: SHA1
Perfect Forward Secrecy not enabled
Life Time Seconds: 28800
[Advanced]
[X] Enable Keep Alive
[] Suppress automatic Access Rules creation for VPN Policy
[] Disable IPsec Anti-Replay
[] Enable Windows Networking (NetBIOS) Broadcast
[] Enable Multicast
WXA Group: None
[] Display Suite B Compliant Algorithms Only
[] Apply NAT Policies
[] Allow SonicPointN Layer 3 Management
Management via this SA: <Nothing Enabled>
User login via this SA: <Nothing Enabled>
Default LAN Gateway (Optional): 0.0.0.0
VPN Policy bound to: Zone WAN
IKEv2 Settings
[] Do not send trigger packet during IKE SA negotiation
[] Accept Hash & URL Certificate Type
[] Accept Hash & URL Certificate Type Send Hash & URL Certificate Type
VPN > Advanced VPN Settings
[X] Enable IKE Dead Peer Detection
Dead Peer Detection Interval (seconds) - 60
Failure Trigger Level (missed heartbeats) - 3
[] Enable Dead Peer Detection for Idle VPN sessions
Dead Peer Detection Interval for Idle VPN sessions (seconds) - 600
[X] Enable Fragmented Packet Handling
[] Ignore DF (Don't Fragment) Bit
[X] Enable NAT Traversal
[X] Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address
[] Enable OCSP Checking
[] Send VPN Tunnel Traps only when tunnel status changes
[] Use RADIUS in (*) MSCHAP () MSCHAPv2 mode for XAUTH (allows users to change expired passwords)
DNS and WINS Server Settings for VPN Client [ Inherit DNS Settings Dynamically from the SonicWall's DNS settings]
IKEv2 Settings
[] Send IKEv2 Cookie Notify
[X] Send IKEv2 Invalid SPI Notify [DH Group: Group 2, Encryption: 3DES, Authentication: SHA1]
Cisco
VPN > IPSec VPN > IPSec Profiles
Profile Name: Colo
Keying Mode: Auto
IKE Version: IKEv2
Phase 1 Option
DH Group: Group2 - 1024 bits
Encrption: AES-128
Authentication: SHA1
SA Lifetime: 28800
Phase 2 Option
Protocol: ESP
Encryption: AES-128
Authentication: SHA1
SA lIFETIME: 2800
Perfect Forward Secrecy [] Enable (not checked)
DH Group: Group2 - 1024 bit
VPN > IPSec VPN > Site-to-Site
Enabled [X]
Connection Name: Colo
IPSec Profile: Colo
Interface: WAN
Remote Endpoint: Static IP: IP1
Local IKE Authenication Method
Pre-Shared Key
Minimum Preshared Key Complexity [X] enabled
Remote IKE Authentication Method
Pre-Shared Key
Minimum Preshared Key Complexity [X] enabled
Local Group Setup
Local Identifier Type: Local WAN IP
Local Identifier <Office Public IP>
Local IP Type: Subnet
IP Address <Office LAN>
Subnet Mask <Office LAN>
Remote Group Setup
Remote Identifier Type: Remote WAN IP
Remote Identifier: IP1
Remote IP Type: IP Group
IP Group: COLO_LAN_Group
Cleanup for readability...
Sonicwall
Mode: IKE using PSK
Gateway: (Cisco WAN IP); PSK: (***********); Local IKE ID: (IP1) [* What does IP1 mean / contain? *]; Remote IKE ID: (Cisco WAN IP)
Encryption domain: Local: (Colo LANs) [* What does this address group contain and what Zone(s)? *]; Remote: (Office LAN) [* VPN zone I hope... *]
Phase 1: Exchange: IKEv2; DH Group: Group 2; Encryption: AES-128; Authentication: SHA1; Life Time: 28800
Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; Life Time: 28800
Keep Alive: Enabled
Cisco
Mode: IKE using PSK
Gateway: (IP1) [* Again what is IP1? *]; PSK: (**********); Local IKE ID: (Local WAN IP); Remote IKE ID: (IP1) [* Again what is IP1? *]
Encryption domain: Local: (Office LAN); Remote: (COLO_LAN_GROUP) [* What does this contain? *]
Phase 1: Exchange: IKEv2; DH Group: Group2; Encryption: AES-128; Authentication: SHA1; SA Lifetime: 28800
Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; SA LIFETIME: 2800 [* IS THIS A TYPO? *]
If the SA Lifetime on phase2 of the Cisco is not a typo than that is likely your issue.
It helps to cleanup your posts and provide sanitized IP addresses / subnets.
I appreciate there response and patience on this, I'm not a expert on these I'm just the tech stuck reaching out for support.
* What does IP1 mean / contain? *];
> It means this same IPaddress is configured on both devices - 4.78.61.102
Encryption domain: Local: (Colo LANs) [* What does this address group contain and what Zone(s)? *]; Remote: (Office LAN) [* VPN zone I hope... *]
Colo LANs
In Group
- LAN Subnets [192.168.200.0/255.255.255.0]
- SSL VPN Range [Zone: SMA, Type: Network, Network 192.168.203.0, Netmask 255.255.255.0]
Address Group: Office LAN
Zone Assignment: LAN
Type: Network
Network: 10.0.0.0
Netmask: 255.255.0.0
Cisco
Gateway: (IP1) [* Again what is IP1? *]; PSK: (**********); Local IKE ID: (Local WAN IP); Remote IKE ID: (IP1) [* Again what is IP1? *]
> IP1 = 4.78.61.102
Encryption domain: Local: (Office LAN); Remote: (COLO_LAN_GROUP) [* What does this contain? *]
> here are the settings
colo_lan_group
subnet 192.168.200.0/24
subnet 192.168.203.0/24
local
subnet 10.0.0.16
Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; SA LIFETIME: 2800 [* IS THIS A TYPO? *]
> 28800 is the proper entry, this was a type on my end.
@MLeger
Increase the both end life time 28800 to 86400 and observe the behavior.
Mode: IKE using PSK
Gateway: (Cisco WAN IP); PSK: (***********); Local IKE ID: 4.78.*.* ; Remote IKE ID: (Cisco WAN IP)
Encryption domain:
Local: 192.168.200.0 /24 (LAN Zone); 192.168.203.0 /24 (SMA Zone)
Remote: 10.0.0.0 /16 (LAN Zone) [* This should be in the VPN zone as it is used for a VPN *]
Phase 1: Exchange: IKEv2; DH Group: Group 2; Encryption: AES-128; Authentication: SHA1; Life Time: 28800
Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; Life Time: 28800
Keep Alive: Enabled
Cisco
Mode: IKE using PSK
Gateway: 4.78.*.* ; PSK: (**********); Local IKE ID: (Local WAN IP); Remote IKE ID: 4.78.*.*
Encryption domain:
Local: 10.0.0.16 [* Is this a typo?? *]
Remote: 192.168.200.0 /24; 192.168.203.0 /24
Phase 1: Exchange: IKEv2; DH Group: Group2; Encryption: AES-128; Authentication: SHA1; SA Lifetime: 28800
Phase 2: Protocol: ESP; Encryption: AES-128; Authentication: SHA1; PFS: disabled; SA LIFETIME: 28800
As Ajishlal mentioned, sometimes adjusting lifetimes helps Ciscos connect. Do you control the Cisco device? Try adjust phase 1 lifetimes to 3600 and phase 2 lifetimes to 86400 if you still do not have a connection.