Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Scripting on

Posted on 2014-11-23
7
Medium Priority
?
117 Views
Last Modified: 2014-12-13
I put a Sonicwall TZ215 in for a site to site VPN connection to Amazon. After support calls with Sonicwall and AWS support, I learned that AWS tears down the tunnel after so many minutes without "interesting" traffic. Then I noticed that about every 24 hours all connections would quit working through the tunnel. The AWS side and the Sonicwall side of the tunnel were reporting the tunnel up, but no traffic was passing. I need to be able to schedule a script that resets the tunnel everyday at 6 AM. I found this script on one of the forum sites but am unsure of how to go about implementing. I downloaded Cygwin Terminal and placed it on one of the local servers that sits at our site. Is this the correct thing to do? How do I go about running the script on a Windows 2008 server so that the script hits the Sonicwall and keeps the tunnel up.

The bash script I found is as follows:

#! /bin/bash

(echo -e 'YOURPASSWORD'; sleep 2; echo 'configure'; sleep 2; echo 'y'; sleep 2; echo 'vpn'; sleep 2; echo 'policy tunnel-interface "NAMEOFVPNPOLICY"'; sleep 2; echo 'no enable'; sleep 2; echo 'commit'; sleep 2; echo 'enable'; sleep 2; echo 'commit'; sleep 2; echo 'exit'; sleep 2; echo 'exit'; sleep 2; echo 'exit'; sleep 2; echo 'exit'; sleep 2) | ssh -t -t SONICWALLUSERNAME@192.168.1.100
0
Comment
Question by:nybyte
  • 4
  • 2
7 Comments
 
LVL 65

Expert Comment

by:btan
ID: 40462151
Supposedly , from Sonicwall, checking the "Enable Keep Alive" enabled should at least alleviate the sporadic dropping to get things got more stable. Also noticed that you have posted into AWS forum with regards to this matter for advices and hear off nothing. Running script per se doesnt seems a long term solution if heartbeat is really essential for AWS connection.

In fact, technically no tunnel will stay up 24x7. That's part of IPSec. You have a max lifetime (or max traffic) as part of the SA before it rekeys. Also there should not be any delay during the rekeying stage. It is still the IKE keepalives that keep thing running and do make sure the same timer value for both setup match in either end of the proposal exchange.

Nonetheless, you may also catch a technote configuration for Sonicwall tunnel to AWS and vice versa
http://www.sonicwall.com/downloads/Configuring_SonicOS_for_Amazon_VPC_Technote.pdf
Note: VPC requires a customer gateway to configure 2 route based VPN tunnels for each instance of dynamic route based VPNs at VPC. So there needs to be 2 tunnel interface VPNs and 2 tunnel interfaces, each with its own BGP configuration.

• VPN gateway on a secondary WAN interface, in the same VPC. VPNs are deployed on one interface only in a single VPC.
• The SonicWALL firewall for Amazon VPC cannot be deployed behind a NAT device. Amazon does not
support NAT traversal.
• Some platforms may require an expanded license for BGP support, required for a dynamic route-based
VPN.
0
 

Author Comment

by:nybyte
ID: 40462163
I have the Keep Alive enabled along with the DPD for phase 1 and 2 but every morning the VPN connection has dropped. I followed the link you posted to get the VPN tunnel up originally and have talked to AWS support many times. They now want to close the ticket because they cannot figure out why it drops or so they say. The script is something I found on one of the AWS forums and would like to implement that but am unsure of exactly how to do it.
0
 
LVL 65

Expert Comment

by:btan
ID: 40462175
if you are interested in the script, there is one EE posting that may be of interest (stated Sonicwall dropping vpn)
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_26761709.html
Here's what I've done to keep the tunnel up and running and create "interesting traffic." This batch file sends a ping (I have mine scheduled for every 5 minutes) and copies a small PNG image to a share on the server. If the ping fails it immediately sends an email with the VB Script email.vbs telling me it's down.
0
Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 22

Expert Comment

by:eeRoot
ID: 40463853
A common (but not ideal) trick to keeping a tunnel up is to schedule a file transfer or some other job to move a good amount of data once an hour.  Some firewalls do not consider pings to be "interesting traffic" so you may have better success with an actual file transfer.
0
 

Author Comment

by:nybyte
ID: 40470782
I spoke to Sonicwall's support team and they created a new firmware package that is suppose to take care of the AWS VPN issue. I am going to apply this firmware on Dec 1st and will update on if this does in fact take care of the issue.
0
 

Accepted Solution

by:
nybyte earned 0 total points
ID: 40487509
UPDATE - The firmware that Sonicwall supplied fixed the VPN issue.
0
 

Author Closing Comment

by:nybyte
ID: 40497751
The firmware that Sonicwall provided was the firmware in fact that fixed the issue. The VPN has been up for 7 straight days without an issue and it has never stayed up that long.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question