Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

DunJer622
Building a reputation

Site-to-Site VPN from MX64 to Non-Meraki (SonicWALL TZ) stops passing traffic

Greetings,

 

I have several MX64-Non-Meraki (SonicWALL TZ205w and TZ300) VPNs.  Generally, all of them work without issue.  However, for no apparent reason, some of them will stop passing traffic.  If I look at the SonicWALL, it says the tunnel is online, but it isn't.  Once I renegotiate the tunnel, the VPN starts passing traffic again within seconds.  The other weird thing is that it doesn't drop all the tunnels between the devices.  I thought we were getting false positives, as I could ping the site from my workstation VLAN, but I then found that I couldn't do so from my server VLAN.

 

Any ideas on what is causing this?

 

Thanks,

 

Jeremy

8 Replies 8
PhilipDAth
Kind of a big deal
Kind of a big deal

See if the SonicWall has an option to enable dead peer detection and/or keepalives. 

DunJer622
Building a reputation

They do and they are all enabled.

JamesMN140
New here

This is the exact behavior i'm seeing on my Sonicwall NSA -> Meraki VPN setup.
JohnT
Getting noticed

I had the same problem with Sophos UTM's and I had to disable NAT-T.  Meraki support had to disable it on their end.  It might be worth looking in to.

JamesMN140
New here

Thanks for this heads up. A ticket was open and i'll have them try that first.

Nash
Kind of a big deal

I've had success in the past with having support disable nat-t. It was between an ASA and an MX65, but I had a tunnel that just kept... dropping. Up and happy for a while, then boom splat unhappy remote site with no DNS.

 

After support disabled NAT-T, it has stayed up successfully for almost two months. I hope you get the same result!

Sprocket
Getting noticed

+1

GaryShainberg
Building a reputation

HI there,

 

Having just completed both the SNSA and SNSP courses, one of the things that was highlighted was to make sure only one end of the site has keep-alives active, unfortunately on the Meraki side there is no keep-alive option so you must make sure this is enabled on the Sonicwall side, also you might find playing with the MTU may also work.

CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels