IPSEC drops link to older sonicwall os *Solved* Thanks jimp



  • Hey guys I don't have a lot of issues with pfsense hence the first post. This is driving me nuts hehe.

    I have several ipsec vpns connected to my main pf box. I have a total of 14 different locations all connected to here. I have 2 links to older Sonicwall hardware, pro230, pro300, and they are running the older sonicwall 6.3 firmware. I have 3 more links going out to newer sonicwall hardware NSA2400's running SonicOS. The rest of the links are a mixture of pf and mono alix boxes. The vpns are used to connect my clients and monitor their hardware via nagios.

    This all works perfectly except one thing, it seems about 3-4 times a day the link to the older sonicwall hardware/software will just stop working. Status is still connected etc, if I disable the tunnel then immediatly re-enable, everything is perfect. If I do nothing it will eventually timeout and reconnect itsself but it usually takes around an hour. This causes my nagios to go crazy because it believes the host is down, which then starts notifying my phone and becomes annoying very quickly.

    The connections to the newer sonicwalls never time out and will stay connected for months, same with the mono/pf boxes. Any ideas? I have tried playing with DPD, and have keep alive enabled to remote host but none of this seems to work. Is there a shell command to "HUP" the tunnel? If so I could use nagios to first reinit the connection before alerting me etc. Just looking for ideas hope this all makes sense lol.

    Kyle


  • Rebel Alliance Developer Netgate

    You might try to check the box for "prefer older IPsec SA" under System > Advanced. I've had to use that before when linking up to odd third-party devices.



  • I have bad experience with Sonicwalls, you never know when it goes down and you never know what makes it go up… -(



  • jimp you might just really be a hero lol. approaching 24 hours without a drop to those two older sonicwalls. the worse is i have been dealing with this issue for a few weeks now and it was a stupid checkbox lol.

    so what exactly did checking the box do to fix it. just curious.


  • Rebel Alliance Developer Netgate

    @KForce:

    jimp you might just really be a hero lol. approaching 24 hours without a drop to those two older sonicwalls. the worse is i have been dealing with this issue for a few weeks now and it was a stupid checkbox lol.

    so what exactly did checking the box do to fix it. just curious.

    Good to hear :-)

    That box does what it says, really. Sometimes a new SA is created but one side or the other keeps trying the old one instead of preferring the new one, and then the tunnel breaks. With that box checked, they will prefer to use the older SA and it keeps some older/quirky equipment happy.



  • Very good! That fixed my problem, 3 days now without a drop. pF on 2D3's is the only way to go lol 45 tunnels and not a single flaw now.


Log in to reply