cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
240
Views
0
Helpful
6
Replies
Highlighted

VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Hello,

 

I did a migration from Sonicwall to a Cisco router. There is 5,6 site to site VPN tunnels. Before, everything was Sonicwall, but now we have a Cisco as a hub.

What happens is that after one of the remote end Sonicwalls gets rebooted or experience an outage, the VPN tunnel is not coming back up. So we need to manually turn on/off the tunnel and than it starts working.

Any suggestions to fox this?

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Expert

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Hello Filip,

I would look for the IPSec Dead Peer Detection feature it should be standard based

see

https://tools.ietf.org/html/rfc6071

 

section 4.2.3

When two peers communicate using IKE and IPsec, it is possible for
   the connectivity between the two peers to drop unexpectedly.  But the
   SAs can still remain until their lifetimes expire, resulting in the
   packets getting tunneled into a "black hole".  [RFC3706] describes an
   approach to detect peer liveliness without needing to send messages
   at regular intervals.  This RFC defines an optional extension to
   IKEv1; dead peer detection (DPD) is an integral part of IKEv2, which
   refers to this feature as a "liveness check" or "liveness test".

 

Hope to help

Giuseppe

 

VIP Mentor

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Hello,

 

I remember that with SonicWall to Cisco VPNs, keepalives must be enabled on only one side of the tunnel. So either on the SonicWall side (in the 'Advanced' tab there should be a checkbox for 'Enable Keep Alive') OR the Cisco side. If you enable it on the SonicWall, you don't need it on the Cisco.

 

I have attached a link to the SonicWall setup document, scroll down to almost the very bottom for the Advanced tab...

 

https://www.sonicwall.com/support/knowledge-base/site-to-site-vpn-between-a-sonicwall-firewall-and-a-cisco-ios-device/170503782801223/

6 REPLIES 6
Hall of Fame Expert

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Hello Filip,

I would look for the IPSec Dead Peer Detection feature it should be standard based

see

https://tools.ietf.org/html/rfc6071

 

section 4.2.3

When two peers communicate using IKE and IPsec, it is possible for
   the connectivity between the two peers to drop unexpectedly.  But the
   SAs can still remain until their lifetimes expire, resulting in the
   packets getting tunneled into a "black hole".  [RFC3706] describes an
   approach to detect peer liveliness without needing to send messages
   at regular intervals.  This RFC defines an optional extension to
   IKEv1; dead peer detection (DPD) is an integral part of IKEv2, which
   refers to this feature as a "liveness check" or "liveness test".

 

Hope to help

Giuseppe

 

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Thanks for the answer, Giuseppe.

 

Would it be this command:

crypro isakmp keepalive <threshold> <retry-interval> {[on-demand] | periodic}
Hall of Fame Expert

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Hello Filip,

it should be the correct command on Cisco side.

Verify that Sonicwall supports the feature and how to enable it.

If supported on both sides I would use it with the periodic option to make this keepalive sent all the time.

Because you have only 5 remote devices there are no scalability issues.

 

see the following document on the forums about Dead Peer Detection

https://community.cisco.com/t5/security-documents/dead-peer-detection/ta-p/3111324?dtid=osscdc000283

 

(you may have found it by yourself  :) )

 

Hope to help

Giuseppe

 

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Sonicwall has Keep Alive option in Advanced Settings of Proposal section.

'Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel.'

So I think that is the way to go on Sonic side.

On the Cisco side it looks like it's being enabled globally for all VPN sessions. I'm not sure yet how to chose between on-demand and periodic type, but I will check the documentation more thoroughly :).

Thanks for the tip.

 

VIP Mentor

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Hello,

 

I remember that with SonicWall to Cisco VPNs, keepalives must be enabled on only one side of the tunnel. So either on the SonicWall side (in the 'Advanced' tab there should be a checkbox for 'Enable Keep Alive') OR the Cisco side. If you enable it on the SonicWall, you don't need it on the Cisco.

 

I have attached a link to the SonicWall setup document, scroll down to almost the very bottom for the Advanced tab...

 

https://www.sonicwall.com/support/knowledge-base/site-to-site-vpn-between-a-sonicwall-firewall-and-a-cisco-ios-device/170503782801223/

Re: VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Thanks George,

 

I know for the option on Sonicwall side, but I was under the impression I needed similar thing on Cisco side. I'm not sure if the other end of the tunnel has keepalives enabled so I will check.

Should there be any issues if I enable DPD on both ends, or you are just saying configuring one side is enough?

If I don't have to worry if it's turned on on the Sonic side or not, I will try to configure crypto isakmp keepalive 10 periodic and see how it goes.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards