Dropped packets over established VPN's on Sonicwall NSA 240 renegotiate fixes the problem

Posted on 2009-04-26
Last Modified: 2012-05-06
I have two NSA 240 Sonicwall's on version 5.X OS. These SonicWalls are configured for High Availability and are using stateful failover and also have the Virtual MAC option on so they share the same MAC address.  I have over 80 of these in our network but this specific site is giving me problems.

The issue is every 9 to 13 hours traffic stops flowing over the VPN connections. The VPN's are up (Green ball) and there are not eroneous log message at all to indicate a problem. Pings stop going through and so does other traffic. If I simply renegotiate the VPN's traffic picks up again for another 9 - 13 hours. The failure is anywhwere in that time frame.

I ran a packet capture an I can tell that the packets are definatley being dropped. I have attached the packet trace that I did, where I issued pings from the remote end to the destination where these 240's are and than reset the VPN connections in the middle of the trace. Packets . You'll see packets 1 thru 12 are prior to the VPN renegotiation and packets 13+ are immediatley after the renegotiation when things start to go through again.  The only thing that looks suspicious to me is the mac addresses during the drop and the 'HP' switch that is involved in the drop. I am wondering is using virtual mac'ing could be causing this or if anyone has seen this before.  These devices are a customer location and I do not control the HP switch. I only terminate into in on the X0(Lan side)

Strange that it's every 9 - 13 hours randomly. Wondered if anyone had any suggestions or has seen this before.

Question by:svasilakos
    LVL 6

    Assisted Solution

    do you have 'enable keep alive' enabled on this tunnel?  I've had to use that setting when connecting my NSA 2400's to Cisco PIX/ASA's.

    I've not seen this, but I would check that first.

    This is an odd one, is sonicwall tech support any assistance?

    I'd like to hear the end of this story, got my interest peaked.

    LVL 2

    Assisted Solution

    When doing site to site VPN's you have to use the "unique indentifier" as the name of the tunnel. In other wordsthe sonic wall you are sitting at make the name of the tunnel the unique name of the sonicwall you are connecting to. Next you need to change the mode of the tunnel to aggressive, set the default gateway's ip to and do the same on the other end. In the box that says local IKE put your sonicwall unique name and the remote IKE put the remotes sonicwall unique name.
    LVL 67

    Assisted Solution

    a site-to-site tunnel is almost never in aggressive mode. Aggressive mode is useful only if you have no static IP addresses available, and in most cases it doesn't work with dynamic IP on both sides.
    Is that a special "feature" of SonicWall?
    LVL 67

    Accepted Solution

    I don't know for SonicWall devices, but that symptom normally is a sign of missing renegotiation of expired SAs, because SA lifetime option is not honoured. Sounds strange, if both sides are using a SonicWall. But you could try out by setting a shorter lifetime on both sides (some minutes, e.g.). This should lead to packet drop much earlier.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now