SonicWall / ASA VPN Disconnects

fultont · ‎02-04-2009

Let me first say, I'm new here so please be patient.

We have a several SonicWall TZ 190 establishing VPN tunnels with a ASA5520. Pericodically random VPN tunnels will drop and can not re-establish a connection. In order to re-establish the dropped VPN tunnel, our firewall folks manually drop all VPN tunnels connected to the ASA (they use to physically power cycle the ASA). They claim this is the only way to resolve the problem and since the SonicWall Life Time seconds for Phase 1 and 2 are set to 28800, they reset the tunnels every 8 hours. Additionally, they claim that SonicWall IPSEC is different that Cisco IPSEC which is the main problem. Hence they are requesting a SONICWAll VPN concentrator... I think that is BS and want to get to the root cause of the problem.

Any suggestions on where to start and possible resolutions?

Ivan Martinon · ‎02-04-2009

Hey, I would start by checking that your ASA has exactly the same lifetimes that your SonicWall has, by default ASA handles 28800 for Phase2 and 86400 for Phase1, also I would go ahead and disable keepalives on the tunnel-group to this SonicWall since it is proven that Cisco keepalives are not compatible with 3rd party keepalives. If this does not work then you would need to go ahead and debug the particular vpn tunnel when it goes down and when it is trying to come up. Debug crypto isa 50 and debug crypto ipsec 50 will give you enough information to see what is going on.

cisco24x7 · ‎02-04-2009

I used to have 4 LAN-2-LAN VPN tunnels

between a Pix515 and SonicWall Firewalls.

both Phase 1 and Phase 2 timeout settings

are identical between the Pix and

SonicWall devices. Everything was

working great with Pix code version

6.3(5).

Ever since I upgraded the Pix to version

8.0(4), I ran into the exact issue you

desscribed. Since these are just my test

tunnels, I did not spend much time

troubleshooting it. Disable keepalive

did not help either.

Look like 7.x and 8.x is still buggy.

Unfortunately, you can not run version

6.3(5) on ASA

ahack · ‎03-05-2009

I have been running Sonicwall to ASA 5510 l2l VPN without issue for a year plus. I did not have a problem until I upgraded to ASA 7.24.

I rolled back to 7.22 and don't seem to have issue.

What version ASA software are you running?

Mokeev.tel · ‎05-24-2013

Hi, I have some trouble. But my pear is like black box. I just know, that it is Sonicwall device.

I have instruction, if VPN becomes down, run "clear ipsec sa peer IP.IP.IP.IP". Sometumes it is up month, sometimes it become down 2-3 times at week.

How to understand, what happens?

And, is there any to make VPN up without an operator?

At my side I have

ASA-5520> sh ver

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ASA-5520 up 1 year 75 days

failover cluster up 1 year 75 days

Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

plotniku7 · ‎02-03-2014

Hi,

i have same issue between a customer SonicWall 6500 and our Cisco ASA5510 with 8.4.7

so, sometime all the SA are down. i just was clearing the ikev1 and monitoring if SA got UP. unfortnatelly only part of SA got up but the orther not. after another clear of ikev1 other SA goes up and the working one are going down.

what solved for me was disabling keepalive on Sonic Wall and nat-disable on Cisco asa. thank you Ivan for your suggestion

hope it will work for others

IndianKid · ‎01-21-2019

please run this command,

isakmp keepalive threshold 10 retry 2