Solved

Dell SonicWALL VPN Error Message

Posted on 2016-07-25
15
48 Views
Last Modified: 2016-11-22
Hi All,

We currently have a VPN setup between our HQ and data center.  More recently, we've noticed that there have been intermittent issues where the VPN drops.  Upon review of the logs, this is the error message that I've found... "Remove IPSec SaNode".  I've only briefly looked this up; however, I didn't come up with anything solid on how to solve this problem.  Has anyone encountered this problem before and so, how did they fix it?

We are currently using a Dell SonicWALL NSA 3600.

Any help on this would be greatly appreciated.

-Anthony
0
Comment
Question by:Anthony6890
  • 9
  • 4
  • 2
15 Comments
 
LVL 25

Expert Comment

by:Diverse IT
ID: 41728816
Hi Anthony,

Follow this article I wrote to size your MTU accordingly.

Is this a S2S VPN, SSL-VPN or a GVC VPN? If S2S, what's the make/model of the other firewall...is it possibly a Cisco?

Run a packet capture and post some of the results.

With this error I see it typically being that the IPSec (ESP) packet was dropped by the other end receiving an IPSEC SA delete request. Then the SonicWALL performs accordingly and deletes the request.

Once I understand which type of VPN we are dealing with I'll be able to drill down into this for you in more detail.

Let me know how it goes!
0
 
LVL 1

Author Comment

by:Anthony6890
ID: 41729969
Hi Diverseit, I read your article and it was extremely informative.  

We are running two SonicWALL Fiewalls, one is an NSA3600 and the other is an NSA4600.  We have a Site to Site VPN with IKE using a Preshared Secret, no SSL VPN.

We just had the firmware upgraded on both firewalls last night in hope that would help solve the problem; however, we are still encountering the issue today.

I will try to do the packet capture for you and post the results.

-Anthony
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 41729975
Can you screenshot or otherwise post your config for the VPN tunnel? Provided that the setups match on both ends, I'm specifically interested in Advanced tab of the VPN Policy (Keep Alive settings) and the VPN > Advanced page settings.
0
 
LVL 1

Author Comment

by:Anthony6890
ID: 41737587
Sorry for not getting back to everyone sooner.  Yes, I can screenshot the settings.  I will send them over now.

I have an underlying feeling it might be an ISP problem.
0
 
LVL 1

Author Comment

by:Anthony6890
ID: 41737600
Here is the screenshot.
0
 
LVL 1

Author Comment

by:Anthony6890
ID: 41737601
Sorry, forgot the file.
NSA3600_SS.png
0
 
LVL 1

Author Comment

by:Anthony6890
ID: 41769220
Hi, I'm still dealing with this issue without resolve.  We've replaced two switches in our office and that has not solved the problem.  Can someone recommend some form of software that will allows me to fully identify the routes that an IP address is taking from one site to another site?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41778132
first try the built-in tools provided by SonicOS, such as Packet Trace. as shown below.
Screen_Shot_2016-09-01_at_00_01_48.png
0
 
LVL 1

Author Comment

by:Anthony6890
ID: 41778254
Hi Bing, it looks like our issue might come down to the ISP itself.  I have a quick question, on the currently active VPN tunnels, we have 5 tunnels up as of now between our HQ and our datacenter.  For two of the tunnels it says the tunnel was created at 8:18 this morning and the other three were created at 10:05 this morning (Eastern Standard Time).  Originally the three tunnels said they were created at 8:18, does the fact that the time is advanced mean that it re-created the VPN tunnels since we have failover from our main Fios line to the Optimum line?

-Anthony
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 41779097
if only one end shows a different establishment time AND the end is behind a VIRTUAL (shared, fault-tolerant) IP, it may sound like that.
0
 
LVL 1

Accepted Solution

by:
Anthony6890 earned 0 total points
ID: 41866946
The problem ended being switch hardware issues.  We had to replace two older switches with newer ones and that solved our problems with the VPN as well.

Thank you everyone that tried helping us on this; however, it ended up being hardware after we tried all other solutions.

-A
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 41867291
Hi Anthony,

Just for clarification, you already said you replaced two switches and it did nothing?

Do you have switches upstream from the Firewalls? Not sure how replacing switches would matter with a S2S VPN connection. If the switches are downstream from the Firewall this wouldn't affect this kind of VPN at all.

Thanks!
0
 
LVL 1

Author Comment

by:Anthony6890
ID: 41867403
Hi Diverseit,

We did replace two switches previously; however, those were replaced in the HQ and not the data center.  Everyone believed the switches in the data center were good because they were fairly new; however, upon replacing two fairly new switches with brand new ones- all of the our VPN errors disappeared.  We also replaced all of the cables that were used to connect between the firewall and those switches as well.  

We had Dell working on this with us for about 3 weeks before we tried replacing the two switches in our data center.  Once we made the switch, all of our issues went away including all of the VPN error log entries.  

-Anthony
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 41867431
They must be Core switches then upstream from your firewall...otherwise it doesn't make sense as downstream switches have no bearing on an S2S VPN.

Thanks!
0
 
LVL 1

Author Closing Comment

by:Anthony6890
ID: 41875222
The issue ended up being hardware related, after trying all requested solutions.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Static route question 6 35
Turn off SIP ALG - Cisco ASA 5505 1 31
Windows 7 x64 won't update 8 76
By pass website on ASA for Websense 4 53
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now