Firewall not responding to VPN requests intermittently in GVC
Description
This article describes how to change the Max negotiation per second threshold for VPN settings in diag page and using cli.
In the VPN logs, we see the peer is not responding to phase 1 ISAKMP requests and Packet capture shows the VPN aggressive mode packets reach the SonicWall but there is no response from the firewall.
After 7.0.1-5072, you can also check this issue happen with the following data
- Event log “Negotiation under throttling”.
- “Too fast negotiation fail” counter in TSR.
- “Over negotiation frequency limit: “ in trace log.
Models affected:
All models
Affected firmware:
SonicOS 7.0.1 (Before SonicOS/X 7.0.1-7 Sprint 72 (7.0.1-5072) release)
Cause
SonicOS has a throttling mechanism to limit the max negotiation that could be established in 1 second. When customer has lots of GVC clients, they may continuously reconnect in the same time and exceeds the limitation.
Resolution
- Enhance logs when this issue occurs.
Negotiation Aborted “Negotiation under throttling” - Add counter for negotiation fail in TSR.
Total IKE Negotiation: Too fast negotiation fail: - Support modify the threshold for throttle.
The threshold ranges from 0 ~ 99999 (0 means no limitation, default value is 50) - CLI
# modify the threshold>config#diag advanced vpn#max-negotiate-per-sec 1000 # set the value to 1000#no max-negotiate-per-sec # to set to default value 50# show the threshold#diag show advanced vpn - GUI
Which version is having this fix?
After SonicOS/X 7.0.1-7 Sprint 72 (7.0.1-5072) release
What are the steps to resolve the issue with screenshots.
Set the threshold to a higher value (according to the amount of tunnels customer have) or 0 (no limitation)
- CLI (How can I login to the appliance using the Command Line Interface)
>config#diag advanced vpn#max-negotiate-per-sec 0 # No limitation#commit
- GUI
- Change url to internal diag page
- Click Internal Settings button
- Find “Max negotiation in 1 second” in “VPN settings” section. Modify the threshold.
