Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SonicWall Site to site keep alive??

Posted on 2013-12-30
5
4,270 Views
Last Modified: 2013-12-31
Having a weird issue with a SonicWall TZ170. I know! It should be replaced, but.....

Anyway,, we have several of the small TZ series that we use for offsite clinics to connect back to our Hospital network. This particular 170 just came back from a clinic that we physically moved and assigned to another subnet so that we could test the networking prior to moving hardware and people. It didn't have any of these problems in it's original location.

I updated the firmware SonicOS Standard 3.1.6.6-9s on this when I got it back and booted to default settings, so the configuration is fresh and doesn't have any leftover configurations to cause problems.
After the firmware update, I built a new site to site tunnel with the appropriate vlans to our NSA E5500 HA main firewall utilizing a new subnet for the TZ170 Lan network. It assosciated and everything was working fine. Tested internet, corporate email, file shares, etc. and no problems. I have keep alive and bring up all possible tunnels checked on the TZ 170. I was using my laptop for this testing.

Once the laptop is allowed to go to power saving mode, the tunnel is disconnected within a few minutes and I loose the ability to manage the firewall from our central location. If I do a persistant ping from my desktop at the hospital, I am able to keep the connection alive, but that shouldn't be necessary. The location this is to be deployed will be an Ambulance station in another city, so often there is no one there using a connection if management of the firewall is necessary.

This is the first time I've seen this behavior from these firewalls. I don't see the tunnels dropped on our 5500 and when I power back up the laptop, I see all 4 tunnels still established. Seems like it must be a setting on the TZ 170 somewhere? Disabling the dead peer detection doesn't seem to have any effect on this.
0
Comment
Question by:Sujada
  • 2
  • 2
5 Comments
 
LVL 11

Expert Comment

by:Miftaul
ID: 39746984
Please edit the WAN GroupVPN and on the advanced tab,  ensure that "Enable Keep Alive" is checked.

This should work.
0
 

Author Comment

by:Sujada
ID: 39747035
Miftaul,
The group VPN is not active VPN Screenshot
Under Edit>Advanced there is no keep alive on the group VPN. Keep alive and bring up all possible tunnels are both checked on the active VPN.
0
 
LVL 10

Accepted Solution

by:
convergint earned 250 total points
ID: 39747407
Is the new version of firmware you are running the same as the other TZ170s?

The GroupVPN is only used if you are using a VPN client, it has nothing to do with the site to site settings.

Try these things:
1.  One thing you could try is only enabling the keep alive on the TZ170 and turning it off on the E5500.
2.  If the remote site is a cable ISP, you could try adjusting the ‘WAN MTU’ from ‘1500’ to ‘1404’
3.  Go to the ‘Firewall > Access Rules’ page. For both of the ‘Key Exchange (IKE”)’ rules, click on the ‘Configure’ icon to the right and click on the ‘Advanced’ tab. From there, adjust the ‘TCP Connection Inactivity Timeout (minutes)’ field from the default of ‘5’ to ‘60’. When done, click on the ‘OK’ button to save and activate the changes.
4.  Under VPN Advanced, do you have the IKE Dead Peer Detection turned on or off?  If they are on, try turning it off on the TZ 170.  Also on the E5500, you shouldn't really have the "Enable Dead Deer Detection for idle vpn sessions" enabled.
0
 
LVL 11

Assisted Solution

by:Miftaul
Miftaul earned 250 total points
ID: 39747510
I mean to say the "Enable Keep Alive" on VPN - Advanced Tab.
Site to Site VPNAdvanced TabIf this doesn't work, please increase the "TCP Connection inactivity timeout". By default it is set to 5 minutes, which is too low for some application. To do this, go to Firewall -> Access Rules -> Click Matrix view. Select LAN to VPN
Firewall - Access RulesTCP Connection Inactivity TimeoutWe need to change this setting twice, once from LAN to VPN and another time from VPN to LAN. Do the same VPN - LAN.
0
 

Author Comment

by:Sujada
ID: 39748798
Thanks to both Miftaul and convergint for their suggestions. I took the firewall access rules a step farther and created a rule to allow http managment with a timeout value of 600 minutes from my local site Lan and then from the public IP of my local firewall. Neither allowed me to access the management interface of the remote firewall from my local Lan UNLESS there was an active device behind the remote firewall, in this case for testing, my laptop turned on.

What I suspect is that there must be some type of interesting traffic over the VPN or the remote firewall does not respond to management requests althouigh I can't find this documented anywhere. Even a network printer will generate enough traffic to keep this active and that will be the case once it is deployed.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question