1

Hello all!

I have two Cisco ASA 5510s and a SonicWall TZ180 in three separate locations and need to establish a VPN tunnel between the three.

The tunnel between the two Ciscos is working perfectly.

The tunnel between Cisco A and the SonicWall is one sided - devices behind the SonicWall can ping, RDP into, browse files on, etc devices behind Cisco A, but the devices behind Cisco A cannot see anything behind the SonicWall. The VPN shows that it is established in the SonicWall’s settings but not the Cisco.

The tunnel between Cisco B and the SonicWall works even less. No connections can be made back and forth, however, Cisco B’s ASDM tells me it has an established connection to the SonicWall.

Moreover, the SonicWall itself can’t ping any device, even those connected directly to it.

The ACLs are OK in both locations, the sonicwall is even currently set to allow all traffic (* to * allowed).

I spent an hour or two on the phone with a Cisco Technical Assistance rep who was baffled by the problem, confirmed my Ciscos to be set up correctly, and suggested I call SonicWall support.

Any ideas what could be the problem?

@Cisco

4 Spice ups
2

I’ve had nothing but problems with sonicwall VPN. My suggestion is replace it with an ASA, untangle, Juiper, or Vyatta.

3

is the tz180 on the latest firmware?

I’ve had some similar problems in the past. Mainly just make sure you have all the settings matched as best as you can, then have a fiddle with the other settings and see what you get.

4

I setup an IPSEC VPN between a fairly old Cisco PIX and a Sonicwall about a year ago and although it didnt go really smoothly it wasn’t too much hassle. I seem to recall that the biggest thing that was stopping it working originally was the fact that the Cisco used its name (which you manually specified on the Cisco somewhere) as its local endpoint and on the Sonicwall we were setting the VPN to use the external IP address of the Cisco as its remote endpoint, so the VPN was failing because the local endpoint on the Cisco side didnt match the remote endpoint on the Sonicwall side.

I cant remember how we got round this though… perhaps we just set the Cisco’s name to be the same as its external IP or something.

Anyway the golden rule seems to be that both sides need to be configured absolutely identically - same encryption settings and everything but also the exact same local/remote endpoints on both sides (though reversed of course).

Hope that helps but if it didnt, can you tell us what messages you are seeing in the Sonicwall logs and also on the Cisco? They both should at least give you a clue if the VPN is failing to connect. I know the Sonicwalls are generally fairly good at telling you in the system log why a VPN is failing to connect.

5

Chris,

Unfortunately the name of the ASA can’t start with a number, therefore can’t be an IP address.

Can you expand on this naming convention thing a little more?

Also, I’m not quite sure how to obtain the SonicWall logs, but from the packet traces I ran, it seems like the SonicWall is failing to respond properly to Phase 2 of the IPSEC connection.

6

OK I had a look at our Sonicwall and here’s how we have the VPN to the Cisco PIX setup, hope it helps.

SonicwallVPN.jpg
SonicwallVPN.jpg700×694 90.6 KB
7

Thanks for all your help everyone,

Unfortunately I wasn’t able to solve the issue and wound up switching the SonicWall with a Cisco ASA 5505.

8

I found that disabling the IKE keepalives on both a ASA 5515 and Sonic wall did the trick.

Although Phase 1 did came up, this prevented a successful Phase 2. Wich of course is strange because it is a Phase 1 setting…