cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Dynamic VPN with Sonicwall fails after a period of time

Jump to solution

I have a couple of NetVanta 3120 routers that are used in homes for IP phones to a main office.  The main office uses a Sonicwall.  The VPN connections are dynamic due to the lack of static IP addresses at the employee's residence.  The VPN works fine when first connected, but after  a period of time, the VPN LED start slow flashing green.  I can no longer pass traffic through the VPN, but Internet is still working fine.  Simply shutting down eth 0/1 and bringing it back up will cause the VPN to reconnect when interesting traffic is presented.

While flashing slow green, I ran some commands to view the IKE SA and IPSEC SA.  Results are listed below.  Any insight would be greatly appreciated:

remote3: ADTRAN, Inc. OS version R10.6.0.E

Platform: NetVanta 3120, Part Number 1700600L2, Serial Number LBADTN0804AC308

--------------------------------------------------

Capture triggered on Wed May 22 2013 at 07:48:54 EDT

--------------------------------------------------

do ping 10.100.1.200 source 10.100.4.1 repeat 4 Type CTRL+C to abort.

Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address

        '*' = Request timed out, '-' = Destination host unreachable

        'x' = TTL expired in transit, 'e' = Unknown error

Sending 4, 100-byte ICMP Echos to 10.100.1.200, timeout is 2 seconds:

****

Success rate is 0 percent (0/4)

remote3(config)#do ping 8.8.8.8 repeat 4 Type CTRL+C to abort.

Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address

        '*' = Request timed out, '-' = Destination host unreachable

        'x' = TTL expired in transit, 'e' = Unknown error

Sending 4, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!

Success rate is 100 percent (4/4), round-trip min/avg/max = 18/20/23 ms remote3(config)#do show cry ike sa Using 1 SAs out of 20 Peak concurrent SAs: 1 IKE Security Associations:

Peer IP Address: 98.190.241.198

  Remote ID: williamsburg

  Lifetime: 28795

  Status: UP (SA_MATURE)

  IKE Policy: 100

  NAT-traversal: V2

  Detected NAT / Behind NAT: Yes / Yes

  Dead Peer Detection: Yes

remote3(config)#do show cry ipsec sa

2 current IPv4 IPsec SAs on default VRF

2 current IPv4 + IPv6 IPsec SAs on all VRFs (4 peak of 40 max)

IPsec Security Associations:

Peer IP Address: 10.83.4.185

  Remote ID: williamsburg

  Crypto Map: VPN 10

  Direction: Inbound

  Encapsulation: ESP

  SPI: 0xA0302286 (2687509126)

  RX Bytes: 24836

  Selectors: Src:10.100.1.0/255.255.255.0  Port:ANY  Proto:ALL IP

Dst:10.100.4.0/255.255.255.0 Port:ANY  Proto:ALL IP

  Hard Lifetime: 2160

  Soft Lifetime: 0

  Out-of-Sequence Errors: 0

Peer IP Address: 98.190.241.198

  Remote ID: williamsburg

  Crypto Map: VPN 10

  Direction: Outbound

  Encapsulation: ESP

  SPI: 0x103F77E9 (272594921)

  TX Bytes: 25656

  Selectors: Src:10.100.4.0/255.255.255.0 Port:ANY  Proto:ALL IP

Dst:10.100.1.0/255.255.255.0 Port:ANY  Proto:ALL IP

  Hard Lifetime: 2160

  Soft Lifetime: 2130

remote3(config)#

Labels (2)
Tags (3)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Dynamic VPN with Sonicwall fails after a period of time

Jump to solution

Not at this time. Adtran Engineers working with Sonic Wall engineers were unable to pinpoint what was causing the problem. We ended up putting another NetVanta 3120 at the main site. The problem went away.

Thanks

R\

View solution in original post

0 Kudos
3 Replies
Anonymous
Not applicable

Re: Dynamic VPN with Sonicwall fails after a period of time

Jump to solution

- The slow flashing green VPN LED usually signifies that phase 1 has successfully negotiated. However, based on the output you provided, it appears the VPN is up and should be passing traffic.

Is anyone from the Sonicwall side able to ping the LAN IP of the 3120 while it is in this state? When you do a ping in both directions are you seeing the TX and RX bytes increment? This can be seen by issuing the "sh crypto ipsec sa" command before and after the ping.

Could you post your configuration as well as the output to "show interface" for us to look at?

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

Anonymous
Not applicable

Re: Dynamic VPN with Sonicwall fails after a period of time

Jump to solution

- Are you still in need of assistance or have any further questions regarding this subject?

Thanks,

Noor

Anonymous
Not applicable

Re: Dynamic VPN with Sonicwall fails after a period of time

Jump to solution

Not at this time. Adtran Engineers working with Sonic Wall engineers were unable to pinpoint what was causing the problem. We ended up putting another NetVanta 3120 at the main site. The problem went away.

Thanks

R\

0 Kudos