TZ 400 - losing configuration (partly)
Hi all,
yesterday I had a strange case with one customer deployment. All VPN connections (except GroupVPN) were gone, but the rest of the configuration seems to be intact.
Even the routes for the VPN Tunnel interfaces were still there (pointing to no Interface), but the Site-2-Site and Tunnel-Interfaces were lost.
Did anyone experienced something like this? I'am not 100% certain, but I guess it was on that specific appliance where users got lost for no reason as well in the past. Could this be a sign of a hardware failure? It's an appliance 2000 km away, not very easy to check on-site.
Running 6.5.4.5, but the users got lost IMHO with 6.5.4.4.
--Michael@BWC
Comments
Hi @BWC ,
I did recall that there was reported issues where the VPN policies were deleted when the Create Group VPN option is disabled on the WAN zone and the firewall is rebooted. There was internal reference ID :DTS #222155 .
This was fixed on the firmware SonicOS 6.5.4.5 as per the notes.
Please check the below link for the same for fixed issues :
Can you let me know what was the firmware on the sonicwall that was used to export the settings ?
Thanks
Nevyaditha P
Technical Support Advisor, Premier Services
Hi @Nevyaditha
GroupVPN can IMHO not be disabled per zone, but the GroupVPN policies were indeed disabled.
It's not easy for me to recall the exact timeline, because it seems the problem persisted for a couple of days and the customer didn't reported it to me.
I upgraded to 6.5.4.5 on May 4th (from 6.5.4.4) and exported the settings right before. I checked yesterday the backup and I couldn't find the VPN tunnels in that configuration, so I guess it got messed up in 6.5.4.4 somehow. I did not checked the VPN policies before the update.
--Michael@BWC
Hi@BWC,
If the settings were imported from SonicOS 6.5.4.4 then it could be a possibility.
I wanted to inform you that the the feature WAN GroupVPN was disabled at the zone level on the appliance on Sonic OS 6.5.4.X and WAN group VPN profiles were not shown up untill we enable the WAN Group VPN option in the zone.
If you have the TSR from the 6.5.4.4 settings that could be usefull to check further.
Thanks
Nevyaditha P
Technical Support Advisor, Premier Services
Hi @Nevyaditha
I don't have a TSR, but I checked on another appliance running 6.5.4.4 and GroupVPN was selectable in the zone settings like you mentioned. I totally forgot about that in the 5+ months since 6.5.4.5 is available. So there is a fair chance that I disabled GroupVPN per zone, because I didn't need it.
--Michael@BWC
Hi @BWC ,
As a workaround, you can enable the “Create Group VPN” of WAN zone and then re-import the EXP file into the firewall and that should help you.
Thanks
Nevyaditha P
Technical Support Advisor, Premier Services
Hi,
all good, I re-created the VPN policies, it's working as before. I'll keep this in mind if I need to upgrade a 6.5.4.4 system.
--Michael@BWC
That's great that everything is up and running now. Sorry for the inconvience caused.
_Nevyaditha
Nevyaditha P
Technical Support Advisor, Premier Services