cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2111
Views
0
Helpful
6
Replies

VPN Cisco to Sonicwall - tunnel stops working after a Sonicwall reboot

Filip Knezevic
Level 1
Level 1

Hello,

 

I did a migration from Sonicwall to a Cisco router. There is 5,6 site to site VPN tunnels. Before, everything was Sonicwall, but now we have a Cisco as a hub.

What happens is that after one of the remote end Sonicwalls gets rebooted or experience an outage, the VPN tunnel is not coming back up. So we need to manually turn on/off the tunnel and than it starts working.

Any suggestions to fox this?

 

2 Accepted Solutions

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Filip,

I would look for the IPSec Dead Peer Detection feature it should be standard based

see

https://tools.ietf.org/html/rfc6071

 

section 4.2.3

When two peers communicate using IKE and IPsec, it is possible for
   the connectivity between the two peers to drop unexpectedly.  But the
   SAs can still remain until their lifetimes expire, resulting in the
   packets getting tunneled into a "black hole".  [RFC3706] describes an
   approach to detect peer liveliness without needing to send messages
   at regular intervals.  This RFC defines an optional extension to
   IKEv1; dead peer detection (DPD) is an integral part of IKEv2, which
   refers to this feature as a "liveness check" or "liveness test".

 

Hope to help

Giuseppe

 

View solution in original post

Hello,

 

I remember that with SonicWall to Cisco VPNs, keepalives must be enabled on only one side of the tunnel. So either on the SonicWall side (in the 'Advanced' tab there should be a checkbox for 'Enable Keep Alive') OR the Cisco side. If you enable it on the SonicWall, you don't need it on the Cisco.

 

I have attached a link to the SonicWall setup document, scroll down to almost the very bottom for the Advanced tab...

 

https://www.sonicwall.com/support/knowledge-base/site-to-site-vpn-between-a-sonicwall-firewall-and-a-cisco-ios-device/170503782801223/

View solution in original post

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Filip,

I would look for the IPSec Dead Peer Detection feature it should be standard based

see

https://tools.ietf.org/html/rfc6071

 

section 4.2.3

When two peers communicate using IKE and IPsec, it is possible for
   the connectivity between the two peers to drop unexpectedly.  But the
   SAs can still remain until their lifetimes expire, resulting in the
   packets getting tunneled into a "black hole".  [RFC3706] describes an
   approach to detect peer liveliness without needing to send messages
   at regular intervals.  This RFC defines an optional extension to
   IKEv1; dead peer detection (DPD) is an integral part of IKEv2, which
   refers to this feature as a "liveness check" or "liveness test".

 

Hope to help

Giuseppe

 

Thanks for the answer, Giuseppe.

 

Would it be this command:

crypro isakmp keepalive <threshold> <retry-interval> {[on-demand] | periodic}

Hello Filip,

it should be the correct command on Cisco side.

Verify that Sonicwall supports the feature and how to enable it.

If supported on both sides I would use it with the periodic option to make this keepalive sent all the time.

Because you have only 5 remote devices there are no scalability issues.

 

see the following document on the forums about Dead Peer Detection

https://community.cisco.com/t5/security-documents/dead-peer-detection/ta-p/3111324?dtid=osscdc000283

 

(you may have found it by yourself  :) )

 

Hope to help

Giuseppe

 

Sonicwall has Keep Alive option in Advanced Settings of Proposal section.

'Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel.'

So I think that is the way to go on Sonic side.

On the Cisco side it looks like it's being enabled globally for all VPN sessions. I'm not sure yet how to chose between on-demand and periodic type, but I will check the documentation more thoroughly :).

Thanks for the tip.

 

Hello,

 

I remember that with SonicWall to Cisco VPNs, keepalives must be enabled on only one side of the tunnel. So either on the SonicWall side (in the 'Advanced' tab there should be a checkbox for 'Enable Keep Alive') OR the Cisco side. If you enable it on the SonicWall, you don't need it on the Cisco.

 

I have attached a link to the SonicWall setup document, scroll down to almost the very bottom for the Advanced tab...

 

https://www.sonicwall.com/support/knowledge-base/site-to-site-vpn-between-a-sonicwall-firewall-and-a-cisco-ios-device/170503782801223/

Thanks George,

 

I know for the option on Sonicwall side, but I was under the impression I needed similar thing on Cisco side. I'm not sure if the other end of the tunnel has keepalives enabled so I will check.

Should there be any issues if I enable DPD on both ends, or you are just saying configuring one side is enough?

If I don't have to worry if it's turned on on the Sonic side or not, I will try to configure crypto isakmp keepalive 10 periodic and see how it goes.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco