08-15-2019 10:14 PM - edited 08-15-2019 10:38 PM
Hello,
I did a migration from Sonicwall to a Cisco router. There is 5,6 site to site VPN tunnels. Before, everything was Sonicwall, but now we have a Cisco as a hub.
What happens is that after one of the remote end Sonicwalls gets rebooted or experience an outage, the VPN tunnel is not coming back up. So we need to manually turn on/off the tunnel and than it starts working.
Any suggestions to fox this?
Solved! Go to Solution.
08-16-2019 12:00 AM
Hello Filip,
I would look for the IPSec Dead Peer Detection feature it should be standard based
see
https://tools.ietf.org/html/rfc6071
section 4.2.3
When two peers communicate using IKE and IPsec, it is possible for the connectivity between the two peers to drop unexpectedly. But the SAs can still remain until their lifetimes expire, resulting in the packets getting tunneled into a "black hole". [RFC3706] describes an approach to detect peer liveliness without needing to send messages at regular intervals. This RFC defines an optional extension to IKEv1; dead peer detection (DPD) is an integral part of IKEv2, which refers to this feature as a "liveness check" or "liveness test".
Hope to help
Giuseppe
08-16-2019 12:44 AM
Hello,
I remember that with SonicWall to Cisco VPNs, keepalives must be enabled on only one side of the tunnel. So either on the SonicWall side (in the 'Advanced' tab there should be a checkbox for 'Enable Keep Alive') OR the Cisco side. If you enable it on the SonicWall, you don't need it on the Cisco.
I have attached a link to the SonicWall setup document, scroll down to almost the very bottom for the Advanced tab...
08-16-2019 12:00 AM
Hello Filip,
I would look for the IPSec Dead Peer Detection feature it should be standard based
see
https://tools.ietf.org/html/rfc6071
section 4.2.3
When two peers communicate using IKE and IPsec, it is possible for the connectivity between the two peers to drop unexpectedly. But the SAs can still remain until their lifetimes expire, resulting in the packets getting tunneled into a "black hole". [RFC3706] describes an approach to detect peer liveliness without needing to send messages at regular intervals. This RFC defines an optional extension to IKEv1; dead peer detection (DPD) is an integral part of IKEv2, which refers to this feature as a "liveness check" or "liveness test".
Hope to help
Giuseppe
08-16-2019 12:08 AM - edited 08-16-2019 12:11 AM
Thanks for the answer, Giuseppe.
Would it be this command:
crypro isakmp keepalive <threshold> <retry-interval> {[on-demand] | periodic}
08-16-2019 12:38 AM - edited 08-16-2019 12:39 AM
Hello Filip,
it should be the correct command on Cisco side.
Verify that Sonicwall supports the feature and how to enable it.
If supported on both sides I would use it with the periodic option to make this keepalive sent all the time.
Because you have only 5 remote devices there are no scalability issues.
see the following document on the forums about Dead Peer Detection
https://community.cisco.com/t5/security-documents/dead-peer-detection/ta-p/3111324?dtid=osscdc000283
(you may have found it by yourself :) )
Hope to help
Giuseppe
08-16-2019 12:57 AM
Sonicwall has Keep Alive option in Advanced Settings of Proposal section.
'Select Enable Keep Alive to use heartbeat messages between peers on this VPN tunnel.'
So I think that is the way to go on Sonic side.
On the Cisco side it looks like it's being enabled globally for all VPN sessions. I'm not sure yet how to chose between on-demand and periodic type, but I will check the documentation more thoroughly :).
Thanks for the tip.
08-16-2019 12:44 AM
Hello,
I remember that with SonicWall to Cisco VPNs, keepalives must be enabled on only one side of the tunnel. So either on the SonicWall side (in the 'Advanced' tab there should be a checkbox for 'Enable Keep Alive') OR the Cisco side. If you enable it on the SonicWall, you don't need it on the Cisco.
I have attached a link to the SonicWall setup document, scroll down to almost the very bottom for the Advanced tab...
08-16-2019 01:02 AM - edited 08-16-2019 01:05 AM
Thanks George,
I know for the option on Sonicwall side, but I was under the impression I needed similar thing on Cisco side. I'm not sure if the other end of the tunnel has keepalives enabled so I will check.
Should there be any issues if I enable DPD on both ends, or you are just saying configuring one side is enough?
If I don't have to worry if it's turned on on the Sonic side or not, I will try to configure crypto isakmp keepalive 10 periodic and see how it goes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide