sonicwall vpn trouble

[Diaonic]

I am having problems with my sonicwall dropping my vpn connection. I have the latest firmware. What happens is, it drops the connection then I have to manually go into the settings an renegotiate the connection, then the response picks back up an its fine for a day or so. I disabled Dead peer detection in hopes that it would solve the problem. But nothing so far.

I am using a sonicwall pro 200, unlimited users. Its running: content filtering, vpn, and being a gateway.

Anyone have any ideas?

I can post more detailed information if somone needs it. Just not sure what else you would need.

 

[dmcowen674]

Check your MTU setting, if set too low will fragment your IP Packets so much that VPN will not work properly.

 

[Diaonic]

MTU is set to 1500, We have a T1 here.

 

[Boscoh]

Have you seen any pattern in the dropping of the connection? Is it every day, every 2 days, is it every 6 hours, 36 hours...etc. Does it happen at night, when there might not be any traffic flowing over the link?

Make sure of the following things:

1) You have ICMP Unreachables enabled on both devices, this is so PathMTU discovery works and the client can detect the appropriate MTU to make their packets. If you have ICMP disabled, you need to at least enable Unreachables

2) If you have the ability to set IPSec Security-Association lifetimes (or key lifetimes), and ISAKMP (IKE) lifetimes, make sure the ISAKMP lifetime is longer than the IPSec lifetime. Do not make them the same, do not make IPSec longer than ISAKMP.

3) Ensure that you have ISAKMP keepalives enabled.

I'd also leave DPD enabled.

 

[Diaonic]

Problem is, I only have access to 1 of the two points for the vpn. I was just trying to cover my tracks, so I know the problem isn't on my end.

 

[Boscoh]

You need to make sure all the VPN settings match exactly on both ends. If they dont, thats part of your problem. You need to find out what the settings are on the other end before you can troubleshoot further.

 

[mboy]

WHat is the other endpoint? Is it the global VPN client, the old VPN client 8 or something else acting as an endpoint?
I have my MTU set @ 140 and have the fragment outbound packets checked off. No dropping ( I mean NEVER) of my snapgear 550 endpoint connection and no reports of any from my remote users who use the latest global VPN Client (2.1)

 

[Diaonic]

The other end is another sonicwall running a global vpn, both end points are sonicwalls for that matter.

 

[mboy]

Are you running the VPN via the global VPN CLIENT or are both endpoints Sonicwall BOXES?

 

[Diaonic]

Both are end points sonicwall boxes

 

[Boscoh]

Have you figured out what the VPN settings are on the other end yet?

 

[mboy]

Yeah, the SA's need to be IDENTICAL on both boxes or bad things will happen

I am having ZERO issues with my SW Pro 200 to Snapgear SME 550 running 256AES VPN 24x7 with keys changing every 8 minutes or so. ROCK solid with the newest firmware for both.