Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[rgcowie4D]

I'm setting up a site-to-site VPN to a Sonicwall Pro 2040.  The Sonicwall has existing VPNs to several other remote firewalls, so I know it works ok.  With the DIR-330, the tunnel will negotiate successfully and I can send traffic through, but within a span of several seconds to a few minutes, the DIR-330 always issues a delete request to the Sonicwall, which tears down the tunnel. 

If keep-alive is enabled on either side, they will immediately negotiate again.  This cycle is repeated indefinitely.  If keep-alive is not enabled, they will negotiate at the next traffic event.  I tried turning dead peer detection on & off on both sides, it seems to make no difference to the problem.

Here is what appears in the Sonicwall log:

08:37  IKE Negotiation Complete, Adding IPsec SA (Phase 2)
 (tunnel is now up and works properly)
08:39  Received IPsec SA Delete Request
08:39  Received IKE SA Delete Request
 (tunnel is now down)
08:39  IKE Responder Received main Mode Request (Phase 1)
 (negotiation takes place again and is successful)

Here is the same sequence from the DIR-330 log:

08:37  IPSec "test" #1: ISAKMP SA established
08:37  IPSec "test" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL
08:37  IPSec "test" #2: Dead Peer Detection (RFC3706) enabled
  (tunnel is now up and works properly)
08:39  IPSec "test" #1: deleting state (STATE_MAIN_I4)
  (tunnel is now down)
08:39  IPSec "test" #1: initiating Main Mode
 (negotiation takes place again and is successful)

In the DIR-330 log, I believe (but am not sure) that #1 refers to Phase 1 and #2 refers to Phase 2.  Is that correct?  Or do they refer to separate attempts?  It also appears that some log entries may be out of order on the DIR-330 (log order is not chronological order).

So far I have made sure that all negotiation parameters match exactly on both sides (I used the defaults on the DIR-330 to help it along) and that the clocks on both firewalls are synced to the same time server.

Would anyone know what is causing the DIR-330 to issue the delete requests and tear down the tunnel?  It does this even when traffic is present and on-going.  It just won't allow the tunnel to stay up.

Any help would be much appreciated.  Thanks!

[Fatman]

Well there has to be some mismatch somewhere, I would want to take a look at the devices to have any real clues.  Perhaps calling in and speaking to one of our business class techs is in order?

[rgcowie4D]

I don't believe there is a mismatch, as the tunnels do negotiate successfully.  The negotiation should fail if they don't agree.  I was very careful, I triple checked the settings and had someone else review it too, just to be sure.  I think there is a timeout issue somewhere on the DIR-330 side.  Next time I visit the remote site, I will try to call-in for telephone support.

[Fatman]

A Phase 1 or Phase 2 lifetime mismatch could cause such issues.  As could conflicting DPD/Keep-Alive settings.  I would be interested to know the results of your calling in if you do.

[Deon]

I am having the exact same problem.

I have a DIR-330 connecting to a Sonicwall TZ 180 running Sonicwall Enhanced OS. According to the VPN consortium these two products are certified to work together.

However when I set it up today, it connected but the SA keeps getting deleted by the DIR 330 no more than 30 secs after the VPN is negotiated.

I cannot work out what is going wrong here. Settings appear to be exactly the same.