Unsolved site to site VPN only works with Keep Alive

scottalanmiller

A Keep Alive is a tiny bit of "continuous" traffic sent across a link to make it look like it is in use, even when it is not. It lets both sides know that both sides are still active. It's generally a trivial amount of traffic, like a ping every five minutes. Nothing you would notice. But it lets everything know that the link has not dropped. So decently useful.

scottalanmiller

You only need a keep alive when you have no traffic. But, not having traffic can happen simply from everyone going to lunch at the same time.

Mike Davis

It's really odd. I had a continuous ping going as I was changing settings. At some point I checked the box and all the sudden I started getting replies. I kept checking and unchecking boxes until I found that that was the thing that was doing it. As soon as I turn it off, the connection drops, even though there should be a continuous ping going across the connection.

scottalanmiller

That is odd, not sure why that would be. KA should only affect you after a few minutes, at least, often more than that.

NetworkNerd

@mike-davis said in site to site VPN only works with Keep Alive:

It's really odd. I had a continuous ping going as I was changing settings. At some point I checked the box and all the sudden I started getting replies. I kept checking and unchecking boxes until I found that that was the thing that was doing it. As soon as I turn it off, the connection drops, even though there should be a continuous ping going across the connection.

Man, this sounds really odd like the issue I had with a Cisco ASA and a Meraki device, especially the part about the tunnel dropping. I know it's not the same scenario here, but this one peaked my curiosity and gave me a touch of deja vu.

I wonder if Sonicwall Support can explain it?

Mike Davis

@networknerd said in site to site VPN only works with Keep Alive:

I wonder if Sonicwall Support can explain it?

The reason I was getting this tunnel going is I'm swapping out the current SonicWall that is falling out of support for one that is under support. Once I get the one under support on a live network, I can contact support.

dbeato

@mike-davis Keep Alive is something I have enabled on all Sonicwalls for that reason. Otherwise on networks that there is no continual traffic it will stop. Cisco is notorious for this, so I have a continual ping a on a server between Cisco and AMazon. Same for SonicwALL with Network Monitor (another solution) with the Amazon VPC tunnels.

Mike Davis

It's really odd because I have an existing tunnel that has been up for 2 years with no issues on that same SonicWall and it doesn't have the keep alive enabled.

dbeato

@mike-davis What firmware are you on?

Mike Davis

@dbeato said in site to site VPN only works with Keep Alive:

@mike-davis What firmware are you on?

5.9.0.7-17o on the remote side for my test environment. That will be swapped out for one under support. My issue is that I don't have the password to the production one, so my only option is to factory default it and I wanted to make sure if I did, I could get the tunnel back up.

The main is is current firmware since it's under support.

dbeato

@mike-davis said in site to site VPN only works with Keep Alive:

5.9.0.7-17o

That is a pretty old firmware. Update to the latest 5.9.1.7 and 5.9.1.8.

Mike Davis

@dbeato said in site to site VPN only works with Keep Alive:

@mike-davis said in site to site VPN only works with Keep Alive:

5.9.0.7-17o

That is a pretty old firmware. Update to the latest 5.9.1.7 and 5.9.1.8.

I totally forgot about that. Like I said, this was a spare one I had on hand for testing and I wanted to make sure I could get the tunnel up when I factory reset the one under support since I can't log in to see its settings.

dbeato

@mike-davis You also can still download Early releases and they do work well too.

dbeato

@mike-davis said in site to site VPN only works with Keep Alive:

about that. Like I said, this was a spare one I had on hand for testing and I wanted to make sure I could get the tunnel up when I factory reset the one under support since I can't log in to see its settings.

Make a backup also of the settings as well just in case.

dbeato

@Mike-Davis How did you end up working out this one?

iroal

This was one of the reasons we leave sonicwall in the company, apart of the support cost.

Now with Pfsense using VpnSite all problems disappears.

Mike Davis

@dbeato said in site to site VPN only works with Keep Alive:

@Mike-Davis How did you end up working out this one?

I think I left it with the keep alive going and the static IP on both ends.

Mike Davis

@iroal said in site to site VPN only works with Keep Alive:

This was one of the reasons we leave sonicwall in the company, apart of the support cost.
Now with Pfsense using VpnSite all problems disappears.

My first choice is Ubiquiti. In this case the Sonics came in under grant money and I had to use them.

scottalanmiller

@mike-davis said in site to site VPN only works with Keep Alive:

@iroal said in site to site VPN only works with Keep Alive:

This was one of the reasons we leave sonicwall in the company, apart of the support cost.
Now with Pfsense using VpnSite all problems disappears.

My first choice is Ubiquiti. In this case the Sonics came in under grant money and I had to use them.

Even with grant money, not sure that they are worth it

Mike Davis

I really don't like grant money. It sounds like a good idea, but when you actually see how it works, it's such a waste. As a tax payer I would like to see the system changed. As a tax payer, I would rather see ubiquiti gear and OpenDNS go in than a SonicWall with content filtering and VPN licenses.