cancel
Showing results for 
Search instead for 
Did you mean: 

Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

Getting noticed

Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

Greetings,

 

I have several MX64-Non-Meraki (SonicWALL TZ205w and TZ300) VPNs.  Generally, all of them work without issue.  However, for no apparent reason, some of them will stop passing traffic.  If I look at the SonicWALL, it says the tunnel is online, but it isn't.  Once I renegotiate the tunnel, the VPN starts passing traffic again within seconds.  The other weird thing is that it doesn't drop all the tunnels between the devices.  I thought we were getting false positives, as I could ping the site from my workstation VLAN, but I then found that I couldn't do so from my server VLAN.

 

Any ideas on what is causing this?

 

Thanks,

 

Jeremy

6 REPLIES 6
Highlighted
Kind of a big deal

Re: Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

See if the SonicWall has an option to enable dead peer detection and/or keepalives. 

Getting noticed

Re: Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

They do and they are all enabled.

New here

Re: Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

This is the exact behavior i'm seeing on my Sonicwall NSA -> Meraki VPN setup.
New here

Re: Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

I had the same problem with Sophos UTM's and I had to disable NAT-T.  Meraki support had to disable it on their end.  It might be worth looking in to.

New here

Re: Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

Thanks for this heads up. A ticket was open and i'll have them try that first.

Building a reputation

Re: Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

I've had success in the past with having support disable nat-t. It was between an ASA and an MX65, but I had a tunnel that just kept... dropping. Up and happy for a while, then boom splat unhappy remote site with no DNS.

 

After support disabled NAT-T, it has stayed up successfully for almost two months. I hope you get the same result!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.