Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Schannel Errors after Sonicwall Upgrade

Have an interesting question. We are running Server 2008 R2 on our server that is not part of the extended service plan so it hasn't gotten any new updates since summer. Well everything was fine but our NSA240 died and we picked up a TZ270 to replace it. Since we have replaced it we are getting a barrage of Schannel Errors Event ID 36887 Fatal Error 40 then Fatal Error 70. Based on some articles I've read am guessing the newer sonicwall might be using a cypher that the older server doesn't recognize. Trying to find out what can be changed besides turning off the logging of the errors.


Any help or ideas would be appreciated.

Category: Entry Level Firewalls
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @MEDUSANYC,

    Thank you for visiting SonicWall Community.

    Where do you see the error? If it is on the SonicWall then, could you please share the complete log message? May be screenshot or log export would help.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • MedusanycMedusanyc Newbie ✭
  • MedusanycMedusanyc Newbie ✭

    That article was from 2014. Pretty sure whatever the issue was back then does not have to do with the same thing that a change of my sonicwall seems to have triggered currently.

  • MedusanycMedusanyc Newbie ✭

    However, Where would I find that Cypher configuration page in the new TZ240?

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @Medusanyc

    Navigate to Firewall Settings --> Cipher Controls.


  • MedusanycMedusanyc Newbie ✭

    Thank you for the quick reply. I was able to find the firewall-Cipher controls but I could not find the settings that were shown on the second link. These are the settings for Enable TLS compatible mode where does one find that?

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @Medusanyc

    If you are using Gen5 sonicwall firewall, For enabling the legacy protocols Navigate to the Diag page.

    Login to the diag page: https://firewall IP/diag.html --> Navigate to Encryption Settings and follow below KB;


  • MedusanycMedusanyc Newbie ✭

    I am getting a weird error when i try to go to https://sonicwall_IP/diag.html. First I get a message about it being a non secure site then after I insist on it letting me through I get the following

    This browser window does not appear to be the one used most recently to log in to the SonicWall from here. You will need to switch to that browser window or re-log in.

    Any suggestion on how to get around that error?

    Thank you

    Andy

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @Medusanyc

    The page where you are trying to login is a Firewall Diagnostic page not regular Firewall GUI.

    Try to login into the Firewall without mention the diag page link. Once you login the Firewall, then change the main.html to diag.html and enter, you would be reach to the below screen and click the "Internal Settings".


  • MedusanycMedusanyc Newbie ✭

    My sonicwall is at 192.168.1.1 When I sign in i am not put at a main.html page i end up at

    "https://192.168.1.1/sonicui/7/m/dashboard/overview/status/device#retroVisit=true"

    If i try to go to https://192.168.1.1/main.html or diag.html I get the message that I posted above.

    Not sure why I am getting those errors. Do I need to install something to get that access?

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @Medusanyc

    If you are using Gen7 sonicwall unit, try to access the diag page as same as below steps; Instead the "management_ip" enter your firewall X0 IP.

    https://<management_ip>/sonicui/7/m/Mgmt/settings/diag

    As well as Gen7 unit cipher control page; You can Navigate to Network\Firewall\ Cipher Control.


  • MedusanycMedusanyc Newbie ✭

    Thank you Found it :)

    Yes, I did find the  Network\Firewall\ Cipher Control. but wasn't sure what to change on that page. Will try changing the TLS compatibility and see if that doesn't correct the Schannel errors. Will let you know. Does a change in the Internal setting require a restart of the Sonicwall?

    I am really not sure what is causing it but I know the errors started when we switched Sonicwalls. Not sure what could be the difference. Do you see any risk to changing the TLS compatibility.

    Thank you

  • MedusanycMedusanyc Newbie ✭

    I actually just checked the original NSA240 and went to the internal settings which were indeed accessible from diag.html. but found the TLS compatibility setting to be the same as the newer TZ270 So not sure changing that would make any difference. The old Sonicwall under Internal Settings->Encryption Settings does have Enable Hardware Encryption turned on. Not sure if that makes a difference or where to check that on the new TZ270.

    Don't want to be changing things randomly but am pretty sure there is some setting that is different in the new sonicwall that is causing these errors as the errors only began with the new sonicwall.

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @Medusanyc

    If you are suspecting the new sonicwall unit, Exclude the Server from Firewall security,

    Exclude from GAV, IPS and etc. and try.

  • MedusanycMedusanyc Newbie ✭

    When you say Firewall security are you referring to the paid service? We are not paying for or using the GAV IPS or any of those services. Is there something else that would cause an Schannel error

    Here is more details of the error

    Source:Schannel Event ID:36887 Error:The following fatal alert was received: 70.

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    - <System>

      <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />

      <EventID>36887</EventID>

      <Version>0</Version>

      <Level>2</Level>

      <Task>0</Task>

      <Opcode>0</Opcode>

      <Keywords>0x8000000000000000</Keywords>

      <TimeCreated SystemTime="2021-05-29T15:15:19.821568700Z" />

      <EventRecordID>245878</EventRecordID>

      <Correlation />

      <Execution ProcessID="688" ThreadID="892" />

      <Channel>System</Channel>

      <Computer>Server.domain.local</Computer>

      <Security UserID="S-1-5-18" />

      </System>

    - <EventData>

      <Data Name="AlertDesc">70</Data>

      </EventData>

      </Event>


    IT IS followed immeadiately with same event ID and source

    The following fatal alert was received: 40.

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

    - <System>

      <Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />

      <EventID>36887</EventID>

      <Version>0</Version>

      <Level>2</Level>

      <Task>0</Task>

      <Opcode>0</Opcode>

      <Keywords>0x8000000000000000</Keywords>

      <TimeCreated SystemTime="2021-05-29T15:15:19.877568700Z" />

      <EventRecordID>245879</EventRecordID>

      <Correlation />

      <Execution ProcessID="688" ThreadID="892" />

      <Channel>System</Channel>

      <Computer>Server.domain.local</Computer>

      <Security UserID="S-1-5-18" />

      </System>

    - <EventData>

      <Data Name="AlertDesc">40</Data>

      </EventData>

      </Event>


    We never had any Schannel errors prior to changing the device and they started the same evening that the device was installed....

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭
    edited May 30

    Hi @Medusanyc

    uninstall and try if your server is installed any third party software such as CCleaner. Some old software trying to communicate with old protocols.


  • MedusanycMedusanyc Newbie ✭
    edited June 6

    Thank you for all your help. Turned out replacing and older version of SEP eliminated the errors. Strange that the errors started when the Sonicwall was changed. In the end it would seem totally coincidental.

    Thank you

    Andrew Bernstein

  • AjishlalAjishlal Cybersecurity Overlord ✭✭✭

    Hi @Medusanyc

    Was your issue resolved?

    If so please mark the reply as the answer & like it to help other community members to find the helpful reply quickly.

Sign In or Register to comment.