Solved

Some Sonicwall VPNs time out on Stage1 negotiation

Posted on 2010-08-26
8
3,571 Views
Last Modified: 2012-06-21
We have 6 locations with store to store VPN.
2 of them have Sonicwall SOHO3 routers
2 - Sonicwall TZ170
1 - TZ180
1 - Cisco RV042

Last week, our Cisco router lost VPN to TZ180. It reestablished it only once ever since, for about 2 minutes.
Today, one of TZ170 has lost connection to the same TZ180 as well.

VPN configs have been the same for years and worked flawlessly.
Here is the message from TZ180 log:
----------------------------
360 08/26/2010 14:11:29.800 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
361 08/26/2010 14:11:29.800 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
362 08/26/2010 14:11:12.783 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
363 08/26/2010 14:11:12.783 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
364 08/26/2010 14:11:12.716 IKE Initiator: No response - remote party timeout 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
365 08/26/2010 14:11:03.800 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
366 08/26/2010 14:11:03.800 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    

368 08/26/2010 14:11:00.716 IKE Initiator: No response - remote party timeout 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
369 08/26/2010 14:10:56.833 IKE Responder: Received Main Mode request (Phase 1) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net    
370 08/26/2010 14:10:56.833 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x39dd1d678bec2eed, MsgID: 0x0) (SA, VID) 192.168.200.1, 500, mail.domain.com 192.168.400.1, 500, 192.168.400.1.dimcom.net  
372 08/26/2010 14:10:52.833 SENDING>>>> ISAKMP OAK MM (InitCookie 0xb25cd2594ed9f2f0, MsgID: 0x0) (SA, VID, VID) 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
373 08/26/2010 14:10:52.833 IKE Initiator: Start Main Mode negotiation (Phase 1) 192.168.400.1, 500, 192.168.400.1.dimcom.net 192.168.200.1, 500, mail.domain.com    
374 08/26/2010 14:10:52.716 IKE negotiation aborted due to timeout 192.168.400.1, 192.168.400.1.dimcom.net 192.168.200.1, mail.domain.com    

----------------------------------

192.168.200.1 is TZ170
192.168.400.1 is TZ180

All VPN tunnel settings are identical.
I can successfully ping WAN ports on both remote routers. Therefore, they see each other without any issues.
I have disabled Dead peer option to eliminate any chances here.

Thank you
0
Comment
Question by:learn_it
  • 6
8 Comments
 

Author Comment

by:learn_it
ID: 33536449
forgot to add...
At the same time, 2 VPN tunnels from TZ180 to SOHO3's are working just fine...
And again, settings for those tunnels are identical.
0
 
LVL 8

Expert Comment

by:jimmyray7
ID: 33536533
Does power cycling the TZ180 help?   If that's not feasible, try unchecking the "Enable VPN" checkbox at the top of the VPN tab, click apply, check it again, and click apply.  This will reset all VPN connections.
0
 

Author Comment

by:learn_it
ID: 33539126
actually, power cycling has become a reason for losing VPN to TZ170.

I have spent 12 hours today trying any possible VPN setup - no luck. Just checked 6-7 hours later, VPN to TZ170 started working...by itself. All i did before I left was changing Preshared key. That didn't help right away, but may have caused eventual fix.

VPN to cisco is still timing out. i have just disabled that particular VPN tunnel and reenabled it. We'll see what happens.

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Accepted Solution

by:
learn_it earned 0 total points
ID: 33619410
issue resolved.
Keep alive had to be enabled on ONE END ONLY. I had it selected on both ends. Sonicwall tech support assured that it was the reason why devices were timing out all the time.
0
 

Author Comment

by:learn_it
ID: 33619415
case may be closed now.
thanks for your input, jimmyray7.
0
 

Author Closing Comment

by:learn_it
ID: 34126678
Tech support resolved the issue
0
 
LVL 2

Expert Comment

by:dpedersen13
ID: 34853745
Simple and Elegant.  Thanks for posting the solution, thought I was going crazy.  I'd award points if I could
0
 

Author Comment

by:learn_it
ID: 34856714
Glad that it helped :) I have just upgraded all Sonicwalls with newer models. Had the same issue until I unchecked the box on on end.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ESXI home lab network setup (KISS) 12 161
DMVPN Spoke Connectivity Issue 1 25
route-map permit with a number 1 19
Cisco ASA 5512-X Active/Standby HA 4 8
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question