Simple debug steps when VPN tunnel does not go active

These are a few tips pointed out from recent escalations on IPSec VPN where the tunnel refuse to come up or it keeps failing intermittently.

1. Capture the IKE packet (UDP 500/4500) 
   •  The packet capture lets us know whether the IKE packet is dropped by other modules.  Sometimes the misconfiguration may cause the IKE packet to pass through another VPN tunnel. We could find some clues from the packet captures. We can check the routing table or local/remote network of S2S VPN policies to confirm it.
   • If you see packets captured on the local firewall, then you need to do the packet capture on the remote peer as well, to check whether it receives packets / send back packets as well.

2. Check the logs: The log could show whether the IKE packets are send out by the local firewall or not. Usually you could see following logs:

   • Start IKE negotiation : this means the firewall is initiating / starting sending IKE packet

   • Remote party timeout : this means that local firewall sent IKE packet to peer, but the peer does not response. In this situation, you need to check the logs on peer to check the reason. 

3.  No specific route for the secondary WAN

   If the VPN policy is bound to WAN zone, SonicOS will lookup the route table to identify the outgoing interface for IKE negotiation packets. Usaually, if there's no specific route for the VPN gateway, it will go out via the default route.
   We need to check whether the remote VPN gateway could be reachable via the default route.

4.  Wan DDOS protection

   The option "Enable DDOS protection on WAN interfaces" may also drop the IKE packet, and we can check the log to confirm it. The solution is to enable the option "Always allow VPN negotiate traffic".

5. High Frequency IKE negotiation

   SonicOS has protection to prevent too fast IKE negotiation, we can check TSR and log to confirm it.

   For example in TSR, 

   Total IKE Negotiation: 34567     Too fast negotiation fail: 23456

   This behaviour is intended, and it depends on the threshold value for the maximum negotiation for IKE packets the device can handle. This value can be changed in the diag page.

   • Login to SonicWall and navigate to the Internal Settings or the diag page.
     How can I access the internal settings of the firewall?
     
      
   • Change the Value of 'Max negotiation in 1 second to 0. Default = 50, No limit = 0

   This can also be changed via CLI (SSH needs to be enabled on the interface)

   • Login to SonicWall using any terminal emulator, like putty 
   • config
     diag advanced vpn
     max-negotiate-per-sec 0
     commit