Link to home
Start Free TrialLog in
Avatar of nybyte
nybyteFlag for United States of America

asked on

Scripting on

I put a Sonicwall TZ215 in for a site to site VPN connection to Amazon. After support calls with Sonicwall and AWS support, I learned that AWS tears down the tunnel after so many minutes without "interesting" traffic. Then I noticed that about every 24 hours all connections would quit working through the tunnel. The AWS side and the Sonicwall side of the tunnel were reporting the tunnel up, but no traffic was passing. I need to be able to schedule a script that resets the tunnel everyday at 6 AM. I found this script on one of the forum sites but am unsure of how to go about implementing. I downloaded Cygwin Terminal and placed it on one of the local servers that sits at our site. Is this the correct thing to do? How do I go about running the script on a Windows 2008 server so that the script hits the Sonicwall and keeps the tunnel up.

The bash script I found is as follows:

#! /bin/bash

(echo -e 'YOURPASSWORD'; sleep 2; echo 'configure'; sleep 2; echo 'y'; sleep 2; echo 'vpn'; sleep 2; echo 'policy tunnel-interface "NAMEOFVPNPOLICY"'; sleep 2; echo 'no enable'; sleep 2; echo 'commit'; sleep 2; echo 'enable'; sleep 2; echo 'commit'; sleep 2; echo 'exit'; sleep 2; echo 'exit'; sleep 2; echo 'exit'; sleep 2; echo 'exit'; sleep 2) | ssh -t -t SONICWALLUSERNAME@192.168.1.100
Avatar of btan
btan
Supposedly , from Sonicwall, checking the "Enable Keep Alive" enabled should at least alleviate the sporadic dropping to get things got more stable. Also noticed that you have posted into AWS forum with regards to this matter for advices and hear off nothing. Running script per se doesnt seems a long term solution if heartbeat is really essential for AWS connection.

In fact, technically no tunnel will stay up 24x7. That's part of IPSec. You have a max lifetime (or max traffic) as part of the SA before it rekeys. Also there should not be any delay during the rekeying stage. It is still the IKE keepalives that keep thing running and do make sure the same timer value for both setup match in either end of the proposal exchange.

Nonetheless, you may also catch a technote configuration for Sonicwall tunnel to AWS and vice versa
http://www.sonicwall.com/downloads/Configuring_SonicOS_for_Amazon_VPC_Technote.pdf
Note: VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP configuration.

• VPN gateway on a secondary WAN interface, in the same VPC. VPNs are deployed on one interface only in a single VPC.
• The SonicWALL firewall for Amazon VPC cannot be deployed behind a NAT device. Amazon does not
support NAT traversal.
• Some platforms may require an expanded license for BGP support, required for a dynamic route-based
VPN.
Avatar of nybyte
nybyte
Flag of United States of America image

ASKER

I have the Keep Alive enabled along with the DPD for phase 1 and 2 but every morning the VPN connection has dropped. I followed the link you posted to get the VPN tunnel up originally and have talked to AWS support many times. They now want to close the ticket because they cannot figure out why it drops or so they say. The script is something I found on one of the AWS forums and would like to implement that but am unsure of exactly how to do it.
Avatar of btan
btan
if you are interested in the script, there is one EE posting that may be of interest (stated Sonicwall dropping vpn)
https://www.experts-exchange.com/questions/26761709/Sonicwall-VPN-dropping.html
Here's what I've done to keep the tunnel up and running and create "interesting traffic." This batch file sends a ping (I have mine scheduled for every 5 minutes) and copies a small PNG image to a share on the server. If the ping fails it immediately sends an email with the VB Script email.vbs telling me it's down.
Avatar of eeRoot
eeRoot
A common (but not ideal) trick to keeping a tunnel up is to schedule a file transfer or some other job to move a good amount of data once an hour.  Some firewalls do not consider pings to be "interesting traffic" so you may have better success with an actual file transfer.
Avatar of nybyte
nybyte
Flag of United States of America image

ASKER

I spoke to Sonicwall's support team and they created a new firmware package that is suppose to take care of the AWS VPN issue. I am going to apply this firmware on Dec 1st and will update on if this does in fact take care of the issue.
ASKER CERTIFIED SOLUTION
Avatar of nybyte
nybyte
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nybyte
nybyte
Flag of United States of America image

ASKER

The firmware that Sonicwall provided was the firmware in fact that fixed the issue. The VPN has been up for 7 straight days without an issue and it has never stayed up that long.