Tunnels go down randomly and come back up within 60 seconds

Site A
XTM525 FireCluster
12.0.2.B546738

Site B
SonicWall

Once in awhile i'll get these notifications:

Appliance: Member2
Time: Tue May 12 03:45:23 2020 (PDT)
Process: iked
Message: BOVPN tunnel 'SWA2SEAL' local 192.168.69.0/255.255.255.0 remote 192.168.7.0/255.255.255.0 under gateway 'SWA' is down

They come back up pretty quick. However, this always happens when data is getting requested from site b.

WE have contacted the ISP's involved, and they can't see any issues with circuit.

Here are the configs:

WatchGuard
Gateway
Local: 1.1.1.1
Remote: 2.2.2.2
Shared-key:*******
Phase 1: IKEv1
Mode: Main
Nat Tranversal: 20 seconds
DPD(RFC3706):
Traffic idle 60 seconds
Max Retries:3
Transfrom Settings:
Phase 1: SHA1-3DES
Key Group: Diffie-Hellman Group 2

Tunnels
192.168.8.0/24<=>192.1.1.200
192.168.8.0/24<=>192.168.7.0/24
192.168.8.0/2<=>192.168.77.0/24
192.168.8.0/24<=>192.168.168.10.0/23
192.168.69.0/24<=>192.1.1.200
192.168.69.0/24<=>192.168.7.0/24
192.168.69.0/24<=>192.168.77.0/24
192.168.69.0/24<=>192.168.10.0/23
192.168.113.0/24<=>192.1.1.200
192.168.113.0/24<=>192.168.7.0/24

Phase2: ESP, SHA1, AES256, FKE 1HR

Sonic Wall
Gateway
Local: 2.2.22.2
Remote: 1.1.1.1
Shared-key:*******
Phase 1: IKEv1
Mode: Main
DPD(RFC3706):
Traffic idle 60 seconds
Max Retries:3
Transfrom Settings:
Phase 1: SHA1-3DES
Key Group: Diffie-Hellman Group 2

Tunnels
192.1.1.200<=>192.168.8.0/24
192.168.7.0/24<=>192.168.8.0/24
192.168.77.0/24<=>192.168.8.0/24
192.168.10.0/24<=>192.168.168.8.0/23
192.1.1.200<=>192.168.69.0/24
192.168.7.0/24<=>192.168.69.0/24
192.168.77.0/24<=>192.168.69.0/24
192.168.10.0/24<=>192.168.69.0/23
192.1.1.200<=>192.168.113.0/24
192.168.7.0/24<=>192.168.113.0/24

Phase2: ESP, SHA1, AES256, FKE 1HR

Is there a special way to configure a BOVPN to sonicwalls?

Comments

  • If there is no data going thought the tunnel for a period of time, it will go down. Then it will take a little time for the tunnel to come back up.
    One option to keep the tunnel up is to use a management tool which will send pings to something at the other end of the tunnel every 60 seconds.

    There are many tools which can do this.
    At a previous site, I used Servers Alive.
    www .woodstone .nu/salive
    There is a free trial

  • Briggs,

    Thank you for the tip. I'll look into it.

Sign In to comment.