Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3555
  • Last Modified:

SonicWALL NSA 2400 VPN Issues with Avaya IP Office 500 units

Hi,

We are using Site-to-Site VPN connectivity from India to UK using SonicWALL NSA 2400 firewalls.

India Network - 172.16.0.0/23
UK Network - 10.0.0.0/23

Site-to-Site VPN works fine no issues with network connectivity or accessibility with devices

We are using Avaya IP Office 500 telephone system unit at India site where all India Avaya IP Phones are connected to India Avaya IP Office. Phones get IPs from India Avaya telephone system.

Our Avaya IP Office is configured to pass all calls to UK Avaya IP Office. e.g. our calls goes to UK from India telephone system-->UK Telephone System-->in/out side UK calls.

Issue:
Daily I get error on my India IP Phones when I am dialing any extension or number in UK e.g. UNOBTAINABLE

To resolve this issue I have to RESET VPN tunnel (Un-tick and Tick again VPN check box on SonicWALL) everyday to start calling to UK.

India site is also connected to other different sites over Site-to-Site VPN terminology where we are only accessing DATA. These tunnels I never had to reset or had any issues with network connectivity.

I would like to know if anyone has come across this type of issue or experts can advice how I can make it permanent so that daily RESETTING VPN goes away.

SonicWALL Firmware Version: SonicOS Enhanced 5.9.0.3-117o

Thanks for your help in advance.
0
ketanaagja
Asked:
ketanaagja
  • 8
  • 6
1 Solution
 
amatson78Commented:
Are you using MAIN Mode or Agressive Mode (Static IPs at both ends or is one side at least dynamic?) Are keep alives enabled on both or either of the VPN sides?

Keep Alive Settings
0
 
ketanaagjaAuthor Commented:
I am using Aggressive mode in IKE Phase 1 proposal, however I already had tried all other modes but situation is same in every proposal modes.

I am even using 1 week of life time (604800 seconds) for VPN tunnels but no effect as daily I have to reset tunnels to start calling over VPN.

Keep Alive is enable on one of the firewall. Both ends have Static IPs configured with 20mb dedicated internet line.

I have attached screenshots from both firewalls for your reference.

VPN Advance TAB screenshot
VPN Proposal screenshot
0
 
Blue Street TechLast KnightsCommented:
Hi ketanaagja,

Are there any other VPN s2s tunnels running between those two locations? If so are the the ones you are saying which have no problem?

If they are not try changing the MTU, here's how: http://www.experts-exchange.com/A_12615-Unstable-Slow-Performing-Networks-or-VPNs-just-go-grocery-shopping.html

Let me know how it goes. Thanks!
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
Blue Street TechLast KnightsCommented:
Any update on this?
0
 
ketanaagjaAuthor Commented:
Hi,

Apologies for later reply as I was out of station due to marriage.

As per instructions I tried setting up MTU size from default 1500 to 1472 and lower but got no success.

While checking MTU response from my Windows XP PC it seems there is more issue with MTU.

Default 1500 MTU size.
I got REQUEST TIMED OUT message on 1470 MTU size (is this normal?) and lower than 1470 also. I am only getting PING response on 512 MTU size which looks strange to me. Below is the screenshot for review.

512 MTU Size Response

Shall I try SonicWALL interface MTU size to 512 or other size? This is where entire confusion is.

MTU Route application shows below status:

MTU Route Information
0
 
Blue Street TechLast KnightsCommented:
That is strange. Are you connecting to the Internet via PPP?

The MTU of many PPP connections is 576, so if you connect to the Internet via PPP, you might see your machine's MTU to 576 or lower.

Also, try this command:
mturoute www.google.com

Open in new window

- that should auto size the correct MTU for you. Tell me what the results are.
0
 
ketanaagjaAuthor Commented:
Hi,

I am using fiber link on SonicWALL through ISP and its dedicated 20mb internet line.

Below is the screenshot of mturoute www.google.com

mturoute result
0
 
Blue Street TechLast KnightsCommented:
I'd check with your upstream and make sure there are no issues and call the ISP. But as it stands 540 is your optimum MTU.
0
 
ketanaagjaAuthor Commented:
Hi,

Today I called down to Dell SonicWALL support and tech guy set two rules as per below screenshots:

LAN>VPN and from VPN>LAN

VPN1
UDP timeout settings
Here they changed UDP timeout settings from 30 seconds to 300 seconds and asked me to monitor tomorrow morning if your voice gets failed or not.

This has been added on both end's SonicWALL firewalls.

I'll be monitoring this one tomorrow if this works or not.
0
 
ketanaagjaAuthor Commented:
Hi,

300 UDP timeout seconds did not work and again I found out losing phone calls on avaya IP units where I had to disable/re-enable VPN tunnels.

Upon contacting SonicWALL support they again asked me to change 300 UDP timeout to 3600 seconds and check tomorrow.
0
 
Blue Street TechLast KnightsCommented:
These Access Rules should have been setup by default if the VPN was setup properly.

Did you check with your ISP yet?
0
 
ketanaagjaAuthor Commented:
Access rules which are created automatically is for entire network not specifically for Avaya IP telephone systems. SonicWALL support guy entered both rules manually specifically having both telephone system IPs and setting up priority to 1.

1472 MTU size is working on ISP side and the same I configured yesterday on firewall but issue was generated today in afternoon where I lost phone calls connectivity.
0
 
ketanaagjaAuthor Commented:
Finally the issue got resolved.

Anti-Spyware module of the SonicWALL NSA 2400 firewall was blocking VoIP packets on 24 hour interval. (Why every 24 hours SonicWALL support is still to answer)

SonicWALL Support also unchecked prevention of "Low Danger Level Spyware". (As visible in attached screenshot)

When both Avaya IP Unit's IPs have been bypassed from Anti-Spyware module issue got resolved.

antispyware
1
 
ketanaagjaAuthor Commented:
Other experts guided the solutions but it did not work out the solution as needed. I engaged core support of firewall and they took 3 weeks to solve out the issue thoroughly by analyzing issue packet by packet. Once issue got resolved I thought to publish the same on experts exchange site so that other users who might face such issue can instantly solve their queries.
0
 
Blue Street TechLast KnightsCommented:
Glad you got it resolved. As a best practice I log all attacks and only block high and medium attacks for anti-spyware, antivirus & IPS regardless of running VoIP traffic. I wouldn't guessed it to be the culprit in this instance though. Thanks for sharing.
0

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now