Got issue VPN site2site after replace NSA 3600 by NSA 3700
Hi,
Today I've encountered the issue with VPN site2site. After I replace NSA 3600 with NSA 3700 ( using migrate tool from sonicwall). I figured out that VPN site2site did not work ( not green status) and I got some error log below:
"RECEIVED<<< ISAKMP OAK IKE_SA_INIT (InitCookie:0xf8f3a407a9fa2980 RespCookie:0x0000000000000000, MsgID: 0x13800000000) (SA, KE, NONCE, NOTIFY: NATD Source IPNOTIFY: NATD Destination IP, VID)"
and "IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request".
I've already checked the shared secret key and setting had matched with 02 sites and also tried with almost KB from sonicwall but It seems did not work.
Please help me to resolve this issue.
Thanks, Tung
Answers
@tungton
Delete the existing site 2 site vpn policy from 3700 and re-create it with the same configuration.
Hi,
@AJISHLAL , Thank for your reponse. I tried it before raising it into the community but it still did not work.
Tung
@tungton
try to uncheck the "Enable NAT traversal" from NSA3700 and try. (VPN-->Advanced)
your back end ISP modem is configured as NAT or bridge mode?
Hi,
I've already tried with uncheck the "Enable NAT traversal" but I did not work also even I cause disconnect another vpn site2site on AWS. Back end ISP modem is configured as bridge mode.
Thanks
Can you share with us the both end configuration screen shot.
Hi,
Both end firewall have the same configuration, except ip address below:
If you need information further, please let me know.
Thanks,
Tung
since the 3DES and DH Group2 is vulnerable & absolute, Use AES encryption and DH group 5 or higher for phase 1 & 2.
Both end are you using WAN static IP or dynamic? If you are getting dynamic IP, make sure the IPSEC primary gateway IP is updated or use dyndns service.
If you are using dyndns / same kind of service, make sure the service is running and enabled to the particular WAN interface.
Upgrade latest firmware and delete all S2S tunnel via Command line. try again.
Hi,
I use static WAN IP. Yes I will try with AES and DH Group 5 after we have green status of VPN.
Thanks,
Hi,
It is running with latest firmware of version 7.x. Could you send me the command line to delete S2S tunnel?
Thanks,
Page:1712
it should be below command in the config mode.
no vpn policy site-to-site "vpnpolicyname"
Should I run another command after run no vpn policy site-to-site "vpnpolicyname" such as commit or anything like that?
Thanks for your support,
Tung
Hi,
I've already tried to run no vpn policy site-to-site "vpnpolicyname" and commit also. I checked this rule disappeared and I add manually in GUI. But it did not work and the status still not green.
Thanks,
Tung
What is the model Other site firewall?
and could you check, the Peer IKE ID comes correct from other site?
These are same sonicwall 3700 and latest version. You mean Peer IKE ID is share secret? I checked many time and it's same configuration, except WAN IP .
Thanks,
can you make sure your WAN interface is X1. if its different interface, please choose that interface for VPN policy bound or choose "Zone WAN".
Yes sure, It configed X1.
Can you try create new VPN with Autoprovisioning vpn.
Disable Keep Alive for now and on the General tab, remove the values for Local IKE ID and Peer IKE ID from both Sonicwalls.
Did you configure proper MTU value for X1?
Yes, sure it were match together with 1492
Hi,
Iam not try yet, but If possible, I will configure on two firewall on 2 site with SonicWall Auto Provisioning Client or Server?
Hi,
If remove the values for Local IKE ID and Peer IKE ID from both Sonicwalls, how they can recognize and handshake together to create VPN site2site?
Thanks,
@tungton
Enable PING service on both firewall WAN interface and try to do the trace route from each location.
For example Site A WAN IP is 1.1.1.1 & Site B WAN IP is 2.2.2.2.
From Site A do the traceroute to 2.2.2.2 IP and do the same from Site B.
If there is any ISP connection issue in between these 2 location site 2 Site VPN will not establish.
Main site should be Server, other site is client.
Hello, it will use the WAN IP entered in the IPsec Primary Gateway Name or Address field.