02-04-2009 10:33 AM
Let me first say, I'm new here so please be patient.
We have a several SonicWall TZ 190 establishing VPN tunnels with a ASA5520. Pericodically random VPN tunnels will drop and can not re-establish a connection. In order to re-establish the dropped VPN tunnel, our firewall folks manually drop all VPN tunnels connected to the ASA (they use to physically power cycle the ASA). They claim this is the only way to resolve the problem and since the SonicWall Life Time seconds for Phase 1 and 2 are set to 28800, they reset the tunnels every 8 hours. Additionally, they claim that SonicWall IPSEC is different that Cisco IPSEC which is the main problem. Hence they are requesting a SONICWAll VPN concentrator... I think that is BS and want to get to the root cause of the problem.
Any suggestions on where to start and possible resolutions?
02-04-2009 05:27 PM
Hey, I would start by checking that your ASA has exactly the same lifetimes that your SonicWall has, by default ASA handles 28800 for Phase2 and 86400 for Phase1, also I would go ahead and disable keepalives on the tunnel-group to this SonicWall since it is proven that Cisco keepalives are not compatible with 3rd party keepalives. If this does not work then you would need to go ahead and debug the particular vpn tunnel when it goes down and when it is trying to come up. Debug crypto isa 50 and debug crypto ipsec 50 will give you enough information to see what is going on.
02-04-2009 06:37 PM
I used to have 4 LAN-2-LAN VPN tunnels
between a Pix515 and SonicWall Firewalls.
both Phase 1 and Phase 2 timeout settings
are identical between the Pix and
SonicWall devices. Everything was
working great with Pix code version
6.3(5).
Ever since I upgraded the Pix to version
8.0(4), I ran into the exact issue you
desscribed. Since these are just my test
tunnels, I did not spend much time
troubleshooting it. Disable keepalive
did not help either.
Look like 7.x and 8.x is still buggy.
Unfortunately, you can not run version
6.3(5) on ASA
03-05-2009 06:08 PM
I have been running Sonicwall to ASA 5510 l2l VPN without issue for a year plus. I did not have a problem until I upgraded to ASA 7.24.
I rolled back to 7.22 and don't seem to have issue.
What version ASA software are you running?
05-24-2013 07:00 PM
Hi, I have some trouble. But my pear is like black box. I just know, that it is Sonicwall device.
I have instruction, if VPN becomes down, run "clear ipsec sa peer IP.IP.IP.IP". Sometumes it is up month, sometimes it become down 2-3 times at week.
How to understand, what happens?
And, is there any to make VPN up without an operator?
At my side I have
ASA-5520> sh ver
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
ASA-5520 up 1 year 75 days
failover cluster up 1 year 75 days
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
02-03-2014 02:31 AM
Hi,
i have same issue between a customer SonicWall 6500 and our Cisco ASA5510 with 8.4.7
so, sometime all the SA are down. i just was clearing the ikev1 and monitoring if SA got UP. unfortnatelly only part of SA got up but the orther not. after another clear of ikev1 other SA goes up and the working one are going down.
what solved for me was disabling keepalive on Sonic Wall and nat-disable on Cisco asa. thank you Ivan for your suggestion
hope it will work for others
01-21-2019 10:50 PM
please run this command,
isakmp keepalive threshold 10 retry 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide