Unsolved site to site VPN only works with Keep Alive
-
I was setting up a site to site VPN connection between a couple SonicWalls. (I need content filtering and the SonicWalls were specified in grant money) On other connections where one side might have DHCP on the WAN side, I used Ike with a Preshared Secret and it just worked. On this particular connection, the only way it would work is if we enabled "Keep Alive" on both sides. This involves hard setting the remote IP, so it's not ideal. Can any one tell me what exactly Keep Alive is and what might be a way around using it?
-
A Keep Alive is a tiny bit of "continuous" traffic sent across a link to make it look like it is in use, even when it is not. It lets both sides know that both sides are still active. It's generally a trivial amount of traffic, like a ping every five minutes. Nothing you would notice. But it lets everything know that the link has not dropped. So decently useful.
-
You only need a keep alive when you have no traffic. But, not having traffic can happen simply from everyone going to lunch at the same time.
-
It's really odd. I had a continuous ping going as I was changing settings. At some point I checked the box and all the sudden I started getting replies. I kept checking and unchecking boxes until I found that that was the thing that was doing it. As soon as I turn it off, the connection drops, even though there should be a continuous ping going across the connection.
-
That is odd, not sure why that would be. KA should only affect you after a few minutes, at least, often more than that.
-
@mike-davis said in site to site VPN only works with Keep Alive:
It's really odd. I had a continuous ping going as I was changing settings. At some point I checked the box and all the sudden I started getting replies. I kept checking and unchecking boxes until I found that that was the thing that was doing it. As soon as I turn it off, the connection drops, even though there should be a continuous ping going across the connection.
Man, this sounds really odd like the issue I had with a Cisco ASA and a Meraki device, especially the part about the tunnel dropping. I know it's not the same scenario here, but this one peaked my curiosity and gave me a touch of deja vu.
I wonder if Sonicwall Support can explain it?
-
@networknerd said in site to site VPN only works with Keep Alive:
I wonder if Sonicwall Support can explain it?
The reason I was getting this tunnel going is I'm swapping out the current SonicWall that is falling out of support for one that is under support. Once I get the one under support on a live network, I can contact support.
-
@mike-davis Keep Alive is something I have enabled on all Sonicwalls for that reason. Otherwise on networks that there is no continual traffic it will stop. Cisco is notorious for this, so I have a continual ping a on a server between Cisco and AMazon. Same for SonicwALL with Network Monitor (another solution) with the Amazon VPC tunnels.
-
It's really odd because I have an existing tunnel that has been up for 2 years with no issues on that same SonicWall and it doesn't have the keep alive enabled.
-
@mike-davis What firmware are you on?
-
@dbeato said in site to site VPN only works with Keep Alive:
@mike-davis What firmware are you on?
5.9.0.7-17o on the remote side for my test environment. That will be swapped out for one under support. My issue is that I don't have the password to the production one, so my only option is to factory default it and I wanted to make sure if I did, I could get the tunnel back up.
The main is is current firmware since it's under support.
-
@mike-davis said in site to site VPN only works with Keep Alive:
5.9.0.7-17o
That is a pretty old firmware. Update to the latest 5.9.1.7 and 5.9.1.8.
-
@dbeato said in site to site VPN only works with Keep Alive:
@mike-davis said in site to site VPN only works with Keep Alive:
5.9.0.7-17o
That is a pretty old firmware. Update to the latest 5.9.1.7 and 5.9.1.8.
I totally forgot about that. Like I said, this was a spare one I had on hand for testing and I wanted to make sure I could get the tunnel up when I factory reset the one under support since I can't log in to see its settings.
-
@mike-davis You also can still download Early releases and they do work well too.
-
@mike-davis said in site to site VPN only works with Keep Alive:
about that. Like I said, this was a spare one I had on hand for testing and I wanted to make sure I could get the tunnel up when I factory reset the one under support since I can't log in to see its settings.
Make a backup also of the settings as well just in case.
-
@Mike-Davis How did you end up working out this one?
-
This was one of the reasons we leave sonicwall in the company, apart of the support cost.
Now with Pfsense using VpnSite all problems disappears.
-
@dbeato said in site to site VPN only works with Keep Alive:
@Mike-Davis How did you end up working out this one?
I think I left it with the keep alive going and the static IP on both ends.
-
@iroal said in site to site VPN only works with Keep Alive:
This was one of the reasons we leave sonicwall in the company, apart of the support cost.
Now with Pfsense using VpnSite all problems disappears.My first choice is Ubiquiti. In this case the Sonics came in under grant money and I had to use them.
-
@mike-davis said in site to site VPN only works with Keep Alive:
@iroal said in site to site VPN only works with Keep Alive:
This was one of the reasons we leave sonicwall in the company, apart of the support cost.
Now with Pfsense using VpnSite all problems disappears.My first choice is Ubiquiti. In this case the Sonics came in under grant money and I had to use them.
Even with grant money, not sure that they are worth it
