I have a couple of NetVanta 3120 routers that are used in homes for IP phones to a main office. The main office uses a Sonicwall. The VPN connections are dynamic due to the lack of static IP addresses at the employee's residence. The VPN works fine when first connected, but after a period of time, the VPN LED start slow flashing green. I can no longer pass traffic through the VPN, but Internet is still working fine. Simply shutting down eth 0/1 and bringing it back up will cause the VPN to reconnect when interesting traffic is presented.
While flashing slow green, I ran some commands to view the IKE SA and IPSEC SA. Results are listed below. Any insight would be greatly appreciated:
remote3: ADTRAN, Inc. OS version R10.6.0.E
Platform: NetVanta 3120, Part Number 1700600L2, Serial Number LBADTN0804AC308
--------------------------------------------------
Capture triggered on Wed May 22 2013 at 07:48:54 EDT
--------------------------------------------------
do ping 10.100.1.200 source 10.100.4.1 repeat 4 Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
'*' = Request timed out, '-' = Destination host unreachable
'x' = TTL expired in transit, 'e' = Unknown error
Sending 4, 100-byte ICMP Echos to 10.100.1.200, timeout is 2 seconds:
****
Success rate is 0 percent (0/4)
remote3(config)#do ping 8.8.8.8 repeat 4 Type CTRL+C to abort.
Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address
'*' = Request timed out, '-' = Destination host unreachable
'x' = TTL expired in transit, 'e' = Unknown error
Sending 4, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!
Success rate is 100 percent (4/4), round-trip min/avg/max = 18/20/23 ms remote3(config)#do show cry ike sa Using 1 SAs out of 20 Peak concurrent SAs: 1 IKE Security Associations:
Peer IP Address: 98.190.241.198
Remote ID: williamsburg
Lifetime: 28795
Status: UP (SA_MATURE)
IKE Policy: 100
NAT-traversal: V2
Detected NAT / Behind NAT: Yes / Yes
Dead Peer Detection: Yes
remote3(config)#do show cry ipsec sa
2 current IPv4 IPsec SAs on default VRF
2 current IPv4 + IPv6 IPsec SAs on all VRFs (4 peak of 40 max)
IPsec Security Associations:
Peer IP Address: 10.83.4.185
Remote ID: williamsburg
Crypto Map: VPN 10
Direction: Inbound
Encapsulation: ESP
SPI: 0xA0302286 (2687509126)
RX Bytes: 24836
Selectors: Src:10.100.1.0/255.255.255.0 Port:ANY Proto:ALL IP
Dst:10.100.4.0/255.255.255.0 Port:ANY Proto:ALL IP
Hard Lifetime: 2160
Soft Lifetime: 0
Out-of-Sequence Errors: 0
Peer IP Address: 98.190.241.198
Remote ID: williamsburg
Crypto Map: VPN 10
Direction: Outbound
Encapsulation: ESP
SPI: 0x103F77E9 (272594921)
TX Bytes: 25656
Selectors: Src:10.100.4.0/255.255.255.0 Port:ANY Proto:ALL IP
Dst:10.100.1.0/255.255.255.0 Port:ANY Proto:ALL IP
Hard Lifetime: 2160
Soft Lifetime: 2130
remote3(config)#
Not at this time. Adtran Engineers working with Sonic Wall engineers were unable to pinpoint what was causing the problem. We ended up putting another NetVanta 3120 at the main site. The problem went away.
Thanks
R\
- The slow flashing green VPN LED usually signifies that phase 1 has successfully negotiated. However, based on the output you provided, it appears the VPN is up and should be passing traffic.
Is anyone from the Sonicwall side able to ping the LAN IP of the 3120 while it is in this state? When you do a ping in both directions are you seeing the TX and RX bytes increment? This can be seen by issuing the "sh crypto ipsec sa" command before and after the ping.
Could you post your configuration as well as the output to "show interface" for us to look at?
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
Not at this time. Adtran Engineers working with Sonic Wall engineers were unable to pinpoint what was causing the problem. We ended up putting another NetVanta 3120 at the main site. The problem went away.
Thanks
R\