Meraki

Community

Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

DunJer622
Building a reputation
‎Feb 15 2019 3:33 PM
‎Feb 15 2019 3:33 PM

Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

Greetings,

 

I have several MX64-Non-Meraki (SonicWALL TZ205w and TZ300) VPNs.  Generally, all of them work without issue.  However, for no apparent reason, some of them will stop passing traffic.  If I look at the SonicWALL, it says the tunnel is online, but it isn't.  Once I renegotiate the tunnel, the VPN starts passing traffic again within seconds.  The other weird thing is that it doesn't drop all the tunnels between the devices.  I thought we were getting false positives, as I could ping the site from my workstation VLAN, but I then found that I couldn't do so from my server VLAN.

 

Any ideas on what is causing this?

 

Thanks,

 

Jeremy

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 15 2019 5:17 PM
‎Feb 15 2019 5:17 PM

See if the SonicWall has an option to enable dead peer detection and/or keepalives. 

In response to PhilipDAth
DunJer622
Building a reputation
‎Feb 18 2019 9:25 AM
‎Feb 18 2019 9:25 AM

They do and they are all enabled.

0 Kudos
JamesMN140
New here
‎May 13 2019 3:23 PM
‎May 13 2019 3:23 PM

This is the exact behavior i'm seeing on my Sonicwall NSA -> Meraki VPN setup.
0 Kudos
In response to JamesMN140
JohnT
Getting noticed
‎May 13 2019 4:22 PM
‎May 13 2019 4:22 PM

I had the same problem with Sophos UTM's and I had to disable NAT-T.  Meraki support had to disable it on their end.  It might be worth looking in to.

In response to JohnT
JamesMN140
New here
‎May 13 2019 4:31 PM
‎May 13 2019 4:31 PM

Thanks for this heads up. A ticket was open and i'll have them try that first.

0 Kudos
In response to JamesMN140
Nash
Kind of a big deal
‎May 15 2019 6:26 AM
‎May 15 2019 6:26 AM

I've had success in the past with having support disable nat-t. It was between an ASA and an MX65, but I had a tunnel that just kept... dropping. Up and happy for a while, then boom splat unhappy remote site with no DNS.

 

After support disabled NAT-T, it has stayed up successfully for almost two months. I hope you get the same result!

Windows 10 Client VPN scripts: Makes life better!
Sprocket
Getting noticed
‎Nov 6 2019 3:54 AM
‎Nov 6 2019 3:54 AM

+1

0 Kudos
GaryShainberg
Building a reputation
‎Nov 6 2019 4:19 AM
‎Nov 6 2019 4:19 AM

HI there,

 

Having just completed both the SNSA and SNSP courses, one of the things that was highlighted was to make sure only one end of the site has keep-alives active, unfortunately on the Meraki side there is no keep-alive option so you must make sure this is enabled on the Sonicwall side, also you might find playing with the MTU may also work.

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.