Back to All Scenarios
PASSEDnetwork / site_to_site_vpn_collapse
Site-to-Site VPN Tunnel Collapse — All Sites Disconnected
The hub firewall's IKE daemon crashes, tearing down all 6 site-to-site IPSec VPN tunnels simultaneously. All branch offices lose connectivity to the data center. File shares, ERP, email, and VoIP between sites all fail.
Pattern
VPN_TUNNEL_DOWN
Severity
CRITICAL
Confidence
82%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | VPN_TUNNEL_DOWN | VPN_TUNNEL_DOWN | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 40 linked | |
| Cascade Escalation | Yes | Yes | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Hub-and-spoke VPN topology. SonicWall NSA 4700 at hub. 6 branch offices with TZ470. IPSec IKEv2 tunnels. IKE daemon crash after DPD (Dead Peer Detection) storm from all branches. No backup VPN path.
Injected Error Messages (4)
SonicWall NSA-4700 VPN tunnel down — all 6 IPSec VPN tunnels torn down, site-to-site VPN connectivity lost, IKE process crashed, DPD storm from 6 peers, VPN tunnel status: all DOWN
Branch-Dallas VPN tunnel down — IPSec SA expired, IKE Phase 1 renegotiation failing, site-to-site VPN to hub offline, peer 203.0.113.1 not responding, all DC resources unreachable from branch
Branch-Miami site-to-site VPN failed — VPN tunnel down to hub, IKEv2 Dead Peer Detection timeout, SonicWall hub peer unresponsive, inter-site calls dropping, split tunnel fallback to local internet only
ERP application inaccessible from all branch offices — 6 VPN tunnels down simultaneously, site-to-site VPN lost, branch users returning timeout errors, 350+ remote users affected
Neural Engine Root Cause Analysis
The SonicWall NSA-4700 VPN hub has experienced a complete IKE process crash, resulting in all 6 IPSec tunnels being torn down simultaneously. The crash appears to have been triggered by a Dead Peer Detection (DPD) storm from all 6 remote peers, likely caused by a network instability or firmware bug that overwhelmed the IKE daemon. With 14 correlated incidents in the same timeframe, this suggests a broader network event may have triggered the cascade failure.
Remediation Plan
1. Immediately restart the IKE daemon on the SonicWall NSA-4700 to restore VPN processing capability. 2. Check system logs for memory leaks or resource exhaustion preceding the crash. 3. Verify network connectivity to all 6 VPN peers to identify any upstream network issues. 4. Re-establish IPSec tunnels one by one to prevent another DPD storm. 5. Review and potentially adjust DPD settings to prevent future storms. 6. Check firmware version and consider emergency patching if known IKE bugs exist. 7. Implement temporary traffic routing if tunnel restoration fails.
Tested: 2026-03-30Monitors: 4 | Incidents: 4Test ID: cmncjl69z02cvobqeqi27ba9k