No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The VPN tunnel between USG and Sonicwall drops every few days

Publication Date:  2012-09-15 Views:  140 Downloads:  0
Issue Description
The static IPsec VPN tunnel between Huawei USG 2200 and Sonicwall TZ 210 drops every few days. Once it drops, the USG doesn’t renegotiate.  The administrator has to go into the USG and restart the tunnel manually.

Alarm Information
The log grabbed on Sonicwall is:
Handling Process
To resolve this issue, we have two approaches:
1. Set the lifetime consistent, for example, change the IKE lifetime from 28800 to 86400 on Sonicwall:

Or change the IKE lifetime from 86400 to 28800 on USG:
[Eudemon] ike proposal 10
[Eudemon-ike-proposal-10] sa duration 28800

2. Enable DPD on USG. DPD (Dead Peer Detection) provides the function of detecting whether the peer is still alive. If DPD is enabled, when IKE SA on Sonicwall expires, USG will notice that and initiate the new SA.
[Eudemon] ike dpd on-demand 30 5
Root Cause
The root cause is: IKE lifetime don’t match between Sonicwall and USG.
The default IKE lifetime on Sonicwall is 28800 seconds, while on USG it is 86400 seconds.
When the IKE SA on Sonicwall expires, Sonicwall will initiate a new SA, but the existing SA on USG is still alive, so USG will drop the IKE initiate request coming from Sonicwall.
Suggestions
The default parameters of IPsec VPN may differs on different vendors, we should check each parameter when configuring the boxes.

END