SonicWall Site to site keep alive??

Having a weird issue with a SonicWall TZ170. I know! It should be replaced, but.....

Anyway,, we have several of the small TZ series that we use for offsite clinics to connect back to our Hospital network. This particular 170 just came back from a clinic that we physically moved and assigned to another subnet so that we could test the networking prior to moving hardware and people. It didn't have any of these problems in it's original location.

I updated the firmware SonicOS Standard on this when I got it back and booted to default settings, so the configuration is fresh and doesn't have any leftover configurations to cause problems.
After the firmware update, I built a new site to site tunnel with the appropriate vlans to our NSA E5500 HA main firewall utilizing a new subnet for the TZ170 Lan network. It assosciated and everything was working fine. Tested internet, corporate email, file shares, etc. and no problems. I have keep alive and bring up all possible tunnels checked on the TZ 170. I was using my laptop for this testing.

Once the laptop is allowed to go to power saving mode, the tunnel is disconnected within a few minutes and I loose the ability to manage the firewall from our central location. If I do a persistant ping from my desktop at the hospital, I am able to keep the connection alive, but that shouldn't be necessary. The location this is to be deployed will be an Ambulance station in another city, so often there is no one there using a connection if management of the firewall is necessary.

This is the first time I've seen this behavior from these firewalls. I don't see the tunnels dropped on our 5500 and when I power back up the laptop, I see all 4 tunnels still established. Seems like it must be a setting on the TZ 170 somewhere? Disabling the dead peer detection doesn't seem to have any effect on this.
Who is Participating?
convergintConnect With a Mentor Commented:
Is the new version of firmware you are running the same as the other TZ170s?

The GroupVPN is only used if you are using a VPN client, it has nothing to do with the site to site settings.

Try these things:
1.  One thing you could try is only enabling the keep alive on the TZ170 and turning it off on the E5500.
2.  If the remote site is a cable ISP, you could try adjusting the ‘WAN MTU’ from ‘1500’ to ‘1404’
3.  Go to the ‘Firewall > Access Rules’ page. For both of the ‘Key Exchange (IKE”)’ rules, click on the ‘Configure’ icon to the right and click on the ‘Advanced’ tab. From there, adjust the ‘TCP Connection Inactivity Timeout (minutes)’ field from the default of ‘5’ to ‘60’. When done, click on the ‘OK’ button to save and activate the changes.
4.  Under VPN Advanced, do you have the IKE Dead Peer Detection turned on or off?  If they are on, try turning it off on the TZ 170.  Also on the E5500, you shouldn't really have the "Enable Dead Deer Detection for idle vpn sessions" enabled.
Please edit the WAN GroupVPN and on the advanced tab,  ensure that "Enable Keep Alive" is checked.

This should work.
SujadaAuthor Commented:
The group VPN is not active VPN Screenshot
Under Edit>Advanced there is no keep alive on the group VPN. Keep alive and bring up all possible tunnels are both checked on the active VPN.
MiftaulConnect With a Mentor Commented:
I mean to say the "Enable Keep Alive" on VPN - Advanced Tab.
Site to Site VPNAdvanced TabIf this doesn't work, please increase the "TCP Connection inactivity timeout". By default it is set to 5 minutes, which is too low for some application. To do this, go to Firewall -> Access Rules -> Click Matrix view. Select LAN to VPN
Firewall - Access RulesTCP Connection Inactivity TimeoutWe need to change this setting twice, once from LAN to VPN and another time from VPN to LAN. Do the same VPN - LAN.
SujadaAuthor Commented:
Thanks to both Miftaul and convergint for their suggestions. I took the firewall access rules a step farther and created a rule to allow http managment with a timeout value of 600 minutes from my local site Lan and then from the public IP of my local firewall. Neither allowed me to access the management interface of the remote firewall from my local Lan UNLESS there was an active device behind the remote firewall, in this case for testing, my laptop turned on.

What I suspect is that there must be some type of interesting traffic over the VPN or the remote firewall does not respond to management requests althouigh I can't find this documented anywhere. Even a network printer will generate enough traffic to keep this active and that will be the case once it is deployed.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.