Some Sonicwall VPNs time out on Stage1 negotiation

We have 6 locations with store to store VPN.
2 of them have Sonicwall SOHO3 routers
2 - Sonicwall TZ170
1 - TZ180
1 - Cisco RV042

Last week, our Cisco router lost VPN to TZ180. It reestablished it only once ever since, for about 2 minutes.
Today, one of TZ170 has lost connection to the same TZ180 as well.

VPN configs have been the same for years and worked flawlessly.
Here is the message from TZ180 log:
----------------------------
360 08/26/2010 14:11:29.800 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
361 08/26/2010 14:11:29.800 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
362 08/26/2010 14:11:12.783 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
363 08/26/2010 14:11:12.783 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
364 08/26/2010 14:11:12.716 IKE Initiator: No response - remote party timeout 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
365 08/26/2010 14:11:03.800 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
366 08/26/2010 14:11:03.800 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    

368 08/26/2010 14:11:00.716 IKE Initiator: No response - remote party timeout 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
369 08/26/2010 14:10:56.833 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
370 08/26/2010 14:10:56.833 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net  
372 08/26/2010 14:10:52.833 SENDING>>>> ISAKMP OAK MM (InitCookie 0xb25cd2594ed9f2f0, MsgID: 0x0) (SA, VID, VID) 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
373 08/26/2010 14:10:52.833 IKE Initiator: Start Main Mode negotiation (Phase 1) 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
374 08/26/2010 14:10:52.716 IKE negotiation aborted due to timeout 192.168.400.1, 192.168.400.1.dimcom.net 192.168.200.1, mail.domain.com    

----------------------------------

192.168.200.1 is TZ170
192.168.400.1 is TZ180

All VPN tunnel settings are identical.
I can successfully ping WAN ports on both remote routers. Therefore, they see each other without any issues.
I have disabled Dead peer option to eliminate any chances here.

Thank you
learn_itAsked:
Who is Participating?
 
learn_itConnect With a Mentor Author Commented:
issue resolved.
Keep alive had to be enabled on ONE END ONLY. I had it selected on both ends. Sonicwall tech support assured that it was the reason why devices were timing out all the time.
0
 
learn_itAuthor Commented:
forgot to add...
At the same time, 2 VPN tunnels from TZ180 to SOHO3's are working just fine...
And again, settings for those tunnels are identical.
0
 
jimmyray7Commented:
Does power cycling the TZ180 help?   If that's not feasible, try unchecking the "Enable VPN" checkbox at the top of the VPN tab, click apply, check it again, and click apply.  This will reset all VPN connections.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
learn_itAuthor Commented:
actually, power cycling has become a reason for losing VPN to TZ170.

I have spent 12 hours today trying any possible VPN setup - no luck. Just checked 6-7 hours later, VPN to TZ170 started working...by itself. All i did before I left was changing Preshared key. That didn't help right away, but may have caused eventual fix.

VPN to cisco is still timing out. i have just disabled that particular VPN tunnel and reenabled it. We'll see what happens.

0
 
learn_itAuthor Commented:
case may be closed now.
thanks for your input, jimmyray7.
0
 
learn_itAuthor Commented:
Tech support resolved the issue
0
 
dpedersen13Commented:
Simple and Elegant.  Thanks for posting the solution, thought I was going crazy.  I'd award points if I could
0
 
learn_itAuthor Commented:
Glad that it helped :) I have just upgraded all Sonicwalls with newer models. Had the same issue until I unchecked the box on on end.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.