Let me first say, I'm new here so please be patient.
We have a several SonicWall TZ 190 establishing VPN tunnels with a ASA5520. Pericodically random VPN tunnels will drop and can not re-establish a connection. In order to re-establish the dropped VPN tunnel, our firewall folks manually drop all VPN tunnels connected to the ASA (they use to physically power cycle the ASA). They claim this is the only way to resolve the problem and since the SonicWall Life Time seconds for Phase 1 and 2 are set to 28800, they reset the tunnels every 8 hours. Additionally, they claim that SonicWall IPSEC is different that Cisco IPSEC which is the main problem. Hence they are requesting a SONICWAll VPN concentrator... I think that is BS and want to get to the root cause of the problem.
Any suggestions on where to start and possible resolutions?
Hey, I would start by checking that your ASA has exactly the same lifetimes that your SonicWall has, by default ASA handles 28800 for Phase2 and 86400 for Phase1, also I would go ahead and disable keepalives on the tunnel-group to this SonicWall since it is proven that Cisco keepalives are not compatible with 3rd party keepalives. If this does not work then you would need to go ahead and debug the particular vpn tunnel when it goes down and when it is trying to come up. Debug crypto isa 50 and debug crypto ipsec 50 will give you enough information to see what is going on.
i have same issue between a customer SonicWall 6500 and our Cisco ASA5510 with 8.4.7
so, sometime all the SA are down. i just was clearing the ikev1 and monitoring if SA got UP. unfortnatelly only part of SA got up but the orther not. after another clear of ikev1 other SA goes up and the working one are going down.
what solved for me was disabling keepalive on Sonic Wall and nat-disable on Cisco asa. thank you Ivan for your suggestion
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :