3 Replies Latest reply on Jul 10, 2013 5:03 AM by vmaxdawg05

    Dynamic VPN with Sonicwall fails after a period of time

    vmaxdawg05 Past_Featured_Member

      I have a couple of NetVanta 3120 routers that are used in homes for IP phones to a main office.  The main office uses a Sonicwall.  The VPN connections are dynamic due to the lack of static IP addresses at the employee's residence.  The VPN works fine when first connected, but after  a period of time, the VPN LED start slow flashing green.  I can no longer pass traffic through the VPN, but Internet is still working fine.  Simply shutting down eth 0/1 and bringing it back up will cause the VPN to reconnect when interesting traffic is presented.

       

      While flashing slow green, I ran some commands to view the IKE SA and IPSEC SA.  Results are listed below.  Any insight would be greatly appreciated:

       

      remote3: ADTRAN, Inc. OS version R10.6.0.E

      Platform: NetVanta 3120, Part Number 1700600L2, Serial Number LBADTN0804AC308

       

      --------------------------------------------------

      Capture triggered on Wed May 22 2013 at 07:48:54 EDT

      --------------------------------------------------

      do ping 10.100.1.200 source 10.100.4.1 repeat 4 Type CTRL+C to abort.

      Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address

              '*' = Request timed out, '-' = Destination host unreachable

              'x' = TTL expired in transit, 'e' = Unknown error

       

      Sending 4, 100-byte ICMP Echos to 10.100.1.200, timeout is 2 seconds:

      ****

      Success rate is 0 percent (0/4)

      remote3(config)#do ping 8.8.8.8 repeat 4 Type CTRL+C to abort.

      Legend: '!' = Success, '?' = Unknown host, '$' = Invalid host address

              '*' = Request timed out, '-' = Destination host unreachable

              'x' = TTL expired in transit, 'e' = Unknown error

       

      Sending 4, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

      !!!!

      Success rate is 100 percent (4/4), round-trip min/avg/max = 18/20/23 ms remote3(config)#do show cry ike sa Using 1 SAs out of 20 Peak concurrent SAs: 1 IKE Security Associations:

       

      Peer IP Address: 98.190.241.198

        Remote ID: williamsburg

        Lifetime: 28795

        Status: UP (SA_MATURE)

        IKE Policy: 100

        NAT-traversal: V2

        Detected NAT / Behind NAT: Yes / Yes

        Dead Peer Detection: Yes

       

      remote3(config)#do show cry ipsec sa

      2 current IPv4 IPsec SAs on default VRF

      2 current IPv4 + IPv6 IPsec SAs on all VRFs (4 peak of 40 max)

       

      IPsec Security Associations:

       

      Peer IP Address: 10.83.4.185

        Remote ID: williamsburg

        Crypto Map: VPN 10

        Direction: Inbound

        Encapsulation: ESP

        SPI: 0xA0302286 (2687509126)

        RX Bytes: 24836

        Selectors: Src:10.100.1.0/255.255.255.0  Port:ANY  Proto:ALL IP

      Dst:10.100.4.0/255.255.255.0 Port:ANY  Proto:ALL IP

        Hard Lifetime: 2160

        Soft Lifetime: 0

        Out-of-Sequence Errors: 0

       

      Peer IP Address: 98.190.241.198

        Remote ID: williamsburg

        Crypto Map: VPN 10

        Direction: Outbound

        Encapsulation: ESP

        SPI: 0x103F77E9 (272594921)

        TX Bytes: 25656

        Selectors: Src:10.100.4.0/255.255.255.0 Port:ANY  Proto:ALL IP

      Dst:10.100.1.0/255.255.255.0 Port:ANY  Proto:ALL IP

        Hard Lifetime: 2160

        Soft Lifetime: 2130

       

      remote3(config)#