Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ 270 - 7.0.1-R1262 - VPN Tunnel Issues?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

a newly deployed TZ 270 is giving me a hard time with VPN Tunnel. A connection to another TZ 500 worked fine for a couple of hours, but suddenly it stopped, I still need to investigate if this is P1/P2 lifetime related. It ended in "Remote Party Timeout" messages on both sides.

Usually with disabling/enabling the connections on both sides it could be fixed for the moment, but not in this case. I had to restart the TZ 270 to get it working again.

Are there any known problems for IKEv2 between Gen7 and Gen6? While the problem occured I switch to IKEv1 Main Mode, but no luck without reboot either.

One thing to be noted, the TZ 270 is behind a WAN router having the TZ 270 as Exposed Host (NAT ALL, you guessed it right, Fritz!Box).

--Michael@BWC

Category: Entry Level Firewalls
Reply

Answers

  • JR2021JR2021 Newbie ✭

    YES!

    We have a newly deployed TZ500w that was running firmware 7.0.0-R713, and we put up a S2S tunnel to Azure without trouble. After we upgraded to 7.0.1-R1262, our tunnel promptly went down. I recreated it, tried doing a tunnel interface, tried recreating the pieces on the Azure end, and nothing worked for us.

    I downgraded to 7.0.0-R906 and the tunnel immediately went back up. I don't know what might have changed in the latest firmware, and I'm not tech savvy enough to track down the cause, but I figured I'd pipe in and let you know that I'm having VPN trouble with this firmware release, too.

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭

    discussion there seems to indicate VPN tunnel issues with R1262

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi guys,

    this makes total sense, I have a few Gen7 Appliances in the field, still running R906 and no VPN related complaints so far. I advised my customers not to update to R1262 until this is verified.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi,

    first things first, other customers running R1262 von TZ 270 and 670 reported no general VPN related problems.

    But I'am having trouble with one specific deployment between a TZ 270 and a TZ 500. Whenever the TZ 500 is executing the WAN schedule down-time (daily at 2:59 AM for a minute) the TZ 270 is logging the expected:

    IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request.
    

    Around 03:00 AM the WAN link on the TZ 500 is back and all other VPN connections to the TZ 500 are working again, except the one to the TZ 270. These messages got logged over and over again the Tunnel never comes back, until the TZ 270 gets rebooted.

    IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request.
    IKEv2 Responder: Received IKE_SA_INIT Request
    IKEv2 Accept IKE SA Proposal
    IKEv2 NAT device detected between negotiating peers
    IKEv2 Responder: Send IKE_SA_INIT response
    IKEv2 Peer is not responding. Negotiation aborted.
    

    Is there any way to solve this? The TZ 500 working fine, it's the TZ 270 which causes trouble at the moment.

    I'am not on-site and remote testing is limited, maybe setting a WAN schedule on the TZ 270 can work-around the problem, but that would be no real solution.

    --Michael@BWC

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭

    Had a thought about the VPN issues. Running a 570 on R1262, no issues with the few VPN tunnels, BUT I do set the following to be inline with my tunnel configs.

    Network \ IPSec VPN \ Advanced \ IKEv2 Settings \ IKEv2 Dynamic Client Proposal.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @TKWITS the Policy in that case is not using the Dynamic Client Proposal, because both sides having static IP addresses. But did you experienced any trouble having the Dynamic Client Proposal not on-par with the Policy Propoal, despite not using it?

    I disabled the WAN schedule on the remote-side, so no forced reconnect at 03:00 AM, VPN connection is still working, so I can say for sure it's at least triggered by the reconnect.

    --Michael@BWC

  • TKWITSTKWITS Cybersecurity Overlord ✭✭✭

    @BWC Having the Dynamic Client Proposal settings different from the tunnels makes no difference. Was a thought.

Sign In or Register to comment.