asked on
SonicWall Site to site keep alive??
Having a weird issue with a SonicWall TZ170. I know! It should be replaced, but.....
Anyway,, we have several of the small TZ series that we use for offsite clinics to connect back to our Hospital network. This particular 170 just came back from a clinic that we physically moved and assigned to another subnet so that we could test the networking prior to moving hardware and people. It didn't have any of these problems in it's original location.
I updated the firmware SonicOS Standard 3.1.6.6-9s on this when I got it back and booted to default settings, so the configuration is fresh and doesn't have any leftover configurations to cause problems.
After the firmware update, I built a new site to site tunnel with the appropriate vlans to our NSA E5500 HA main firewall utilizing a new subnet for the TZ170 Lan network. It assosciated and everything was working fine. Tested internet, corporate email, file shares, etc. and no problems. I have keep alive and bring up all possible tunnels checked on the TZ 170. I was using my laptop for this testing.
Once the laptop is allowed to go to power saving mode, the tunnel is disconnected within a few minutes and I loose the ability to manage the firewall from our central location. If I do a persistant ping from my desktop at the hospital, I am able to keep the connection alive, but that shouldn't be necessary. The location this is to be deployed will be an Ambulance station in another city, so often there is no one there using a connection if management of the firewall is necessary.
This is the first time I've seen this behavior from these firewalls. I don't see the tunnels dropped on our 5500 and when I power back up the laptop, I see all 4 tunnels still established. Seems like it must be a setting on the TZ 170 somewhere? Disabling the dead peer detection doesn't seem to have any effect on this.
Anyway,, we have several of the small TZ series that we use for offsite clinics to connect back to our Hospital network. This particular 170 just came back from a clinic that we physically moved and assigned to another subnet so that we could test the networking prior to moving hardware and people. It didn't have any of these problems in it's original location.
I updated the firmware SonicOS Standard 3.1.6.6-9s on this when I got it back and booted to default settings, so the configuration is fresh and doesn't have any leftover configurations to cause problems.
After the firmware update, I built a new site to site tunnel with the appropriate vlans to our NSA E5500 HA main firewall utilizing a new subnet for the TZ170 Lan network. It assosciated and everything was working fine. Tested internet, corporate email, file shares, etc. and no problems. I have keep alive and bring up all possible tunnels checked on the TZ 170. I was using my laptop for this testing.
Once the laptop is allowed to go to power saving mode, the tunnel is disconnected within a few minutes and I loose the ability to manage the firewall from our central location. If I do a persistant ping from my desktop at the hospital, I am able to keep the connection alive, but that shouldn't be necessary. The location this is to be deployed will be an Ambulance station in another city, so often there is no one there using a connection if management of the firewall is necessary.
This is the first time I've seen this behavior from these firewalls. I don't see the tunnels dropped on our 5500 and when I power back up the laptop, I see all 4 tunnels still established. Seems like it must be a setting on the TZ 170 somewhere? Disabling the dead peer detection doesn't seem to have any effect on this.
Hardware FirewallsVPN
Last Comment
Sujada
ASKER
Miftaul,
The group VPN is not active![VPN Screenshot]()
Under Edit>Advanced there is no keep alive on the group VPN. Keep alive and bring up all possible tunnels are both checked on the active VPN.
The group VPN is not active
Under Edit>Advanced there is no keep alive on the group VPN. Keep alive and bring up all possible tunnels are both checked on the active VPN.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks to both Miftaul and convergint for their suggestions. I took the firewall access rules a step farther and created a rule to allow http managment with a timeout value of 600 minutes from my local site Lan and then from the public IP of my local firewall. Neither allowed me to access the management interface of the remote firewall from my local Lan UNLESS there was an active device behind the remote firewall, in this case for testing, my laptop turned on.
What I suspect is that there must be some type of interesting traffic over the VPN or the remote firewall does not respond to management requests althouigh I can't find this documented anywhere. Even a network printer will generate enough traffic to keep this active and that will be the case once it is deployed.
What I suspect is that there must be some type of interesting traffic over the VPN or the remote firewall does not respond to management requests althouigh I can't find this documented anywhere. Even a network printer will generate enough traffic to keep this active and that will be the case once it is deployed.
This should work.