Site to Site VPN tunnel is up but only passing traffic in one direction
12/20/2019 1221 29196
In this scenario there is an active Site-to-Site VPN tunnel up on the SonicWall and the remote device but traffic will only pass in one direction, either from the SonicWall to the remote site or vice versa.
NOTE: Capture the Traffic on the SonicWall, and if possible, the remote device.
- Start a continuous ping from a host that is part of the VPN tunnel to a remote host that is also part of the VPN tunnel and capture the traffic on the SonicWall. If the packets are marked as Consumed then they're being put into a VPN, however make sure they are being put into the correct VPN. It is possible to have overlapping VPNs for source and destination on the SonicWall, as well as network address translation policies, which could lead to incorrect routing.
- If the packets are marked as Received then the SonicWall doesn't have a route to send them over and is discarding them. The most common cause of this issue is network address translation, checking the network address translation table on the SonicWall to ensure there are no incorrect NATs is advisable.
- The expected traffic flow for local hosts going across the VPN is to see the Ingress Interface and the packet marked as Consumed. The expected flow for a packet coming to the SonicWall across the VPN is it being marked as Consumed, the forwarded, then forwarded. First the SonicWall will receive the packet from the VPN, then decrypt it which is denoted with the (hc) tag on the Packet Monitor, and finally sent onto the physical wire.
TIP: It is strongly advised to run a Packet Capture on both hosts as well as the remote VPN concentrator to get a complete picture of the traffic flow.
TIP: If you're unfamiliar with setting up a Packet Capture on the SonicWall, please reference 170505277474380
Check the Event Logs
- Access to SonicWall management GUI.
- Click Investigate in the top navigation menu.
- Logs | Event Log can alert you to issues with the VPN Tunnel. Typically this will be IKE Phase 1 and Phase 2 issues but the SonicWall can also track decryption failures, drops, and timeouts.
Setting a filter by either the remote peer public IP address, the local Private IP address, or the remote private IP address will bring up any associated drops or other issues with the traffic flow. If you aren't seeing anything, try setting the Log Monitor to default settings. Click Manage in the top navigation menu and click Log Settings | Base Setup | Import Logging Template and choosing Default.
TIP: You can also access to Log Settings | Base Settings by clicking Go to configure Log from Investigate tab | Event Logs.