The static IPsec VPN tunnel between Huawei USG 2200 and Sonicwall TZ 210 drops every few days. Once it drops, the USG doesn’t renegotiate. The administrator has to go into the USG and restart the tunnel manually.
The log grabbed on Sonicwall is:
To resolve this issue, we have two approaches:
1. Set the lifetime consistent, for example, change the IKE lifetime from 28800 to 86400 on Sonicwall:
Or change the IKE lifetime from 86400 to 28800 on USG:
[Eudemon] ike proposal 10
[Eudemon-ike-proposal-10] sa duration 28800
2. Enable DPD on USG. DPD (Dead Peer Detection) provides the function of detecting whether the peer is still alive. If DPD is enabled, when IKE SA on Sonicwall expires, USG will notice that and initiate the new SA.
[Eudemon] ike dpd on-demand 30 5
The root cause is: IKE lifetime don’t match between Sonicwall and USG.
The default IKE lifetime on Sonicwall is 28800 seconds, while on USG it is 86400 seconds.
When the IKE SA on Sonicwall expires, Sonicwall will initiate a new SA, but the existing SA on USG is still alive, so USG will drop the IKE initiate request coming from Sonicwall.
The default parameters of IPsec VPN may differs on different vendors, we should check each parameter when configuring the boxes.