Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

L2TP VPN Connection Failing on TZ670 with SonicOS 7.0.0-R906

scottkeenscottkeen Newbie ✭
edited January 2021 in Mid Range Firewalls

Edit: Mods: Please move this to the appropriate Category -- probably "Mid Range Firewalls"


I just replaced our NSA2600 with a TZ670.

I copied over the EXACT VPN settings from the NSA2600 to the new TZ670.

My users cannot connect with L2TP VPN, they get this error in Windows:

"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."

L2TP VPN was working perfectly fine on the NSA2600, but with the EXACTLY SAME settings, L2TP VPN does not work on the TZ670 with firmware SonicOS 7.0.0-R906

I have also tried the knowledgebase articles for setting up L2TP VPN server and checking Windows settings for the connection, and I've checked that I have the HKLM PolicyAgent key in the Registry. As I said, L2TP VPN on our Windows computers was working fine with the NSA2600, but does not work with the TZ670.

Please advise.

Category: Mid Range Firewalls
Reply

Answers

  • MicahMicah SonicWall Employee
    👋🏻 @scottkeen, welcome!
    I’m sorry to hear about this inconvenience.

    @shiprasahu93, @Saravanan, @John_Lasersohn: have we seen this before or would you recommend opening a support ticket 🎫 for real time troubleshooting?

    Appreciate you! 🙏🏻

    @micah - SonicWall's Self-Service Sr. Manager

  • scottkeenscottkeen Newbie ✭

    Thanks @Micah , I hope the SonicWALL team can advise what to do.

    Have you or your team tested L2TP VPN with SonicOS 7.0.0-R906? If you have and are able to get it to work, could you please post your settings? The settings I'm using are copied from my NSA2600, but I'm more than happy to try settings that you or the SonicWALL team use to get it to work.

  • @scottkeen,

    I tried testing L2TP on R906 on a TZ 370 and see that the packets are being dropped as 'fails to handle L2TP pkt'. I am not sure if it is the same case on your firewall, but this definitely needs to go through a support ticket.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • scottkeenscottkeen Newbie ✭

    Thank you for testing @shiprasahu93

    Are you sending this to SonicWALL support for fixing, or is this something I need to report?

    Seems to me that if it comes from you, it would have more priority.

    Scott

  • Hello @scottkeen - It is always good to have a support case open for this sort of thing, and once you posted the case number, we can use it as a training exercise for the case owner, who will either find a solution or create a ticket for Engineering to fix it. and @shiprasahu93 can work with them, or I can, to make sure it gets the proper attention. I hope this helps.

  • scottkeenscottkeen Newbie ✭

    Thanks. I opened a new case.

    Should I post the case # number here in this community forum?

  • MicahMicah SonicWall Employee

    Hi Scott,

    I just recently PM'd you requesting the case number.

    Thanks!

    @micah - SonicWall's Self-Service Sr. Manager

  • scottkeenscottkeen Newbie ✭

    @Micah Just got both your messages. I'll PM the case number to you. Thanks.

  • BEmmelBEmmel Newbie ✭

    were you able to get a resolution on this?


  • Not from SonicWALL support. I spent 10 hours with 2 different SonicWALL tech support people, going round-and-round in circles, not making any progress whatsoever. The last thing they suggested was to reset my TZ 670 in a production environment to factory defaults and try L2TP! Are you kidding me! It's in a production environment!

    I insisted that the problem is with the firmware, and SW support was unable to prove otherwise, yet they did not want to refer this to SW Development. Since that was not going to happen, I said to note that the issue was Unresolved if they close the case.

    -----

    That said, I think I figured out the fix on my own. I'm convinced it's a firmware bug, as I suspected. I wish SW tech support referred this to SW Development who would have probably discovered the bug.

    -----

    How am I convinced it's a bug in the firmware? Because I have (2) TZ 670 units in two different physical locations with different ISPs (one is Cox, one is Cogent) and they both have the same issue with L2TP not working, even with copying the same exact WAN GlobalVPN and L2TP settings from the NSA 2600.

    How else am I convinced it's a bug in the firmware? Because after decades in IT I know that what "makes sense" doesn't always work and you have to do something that doesn't make sense to make it work.

    So here is how I got it to work. YMMV

    1. Go to the L2TP Server settings page. You will probably have "Enable L2TP Server" switched On
    2. Switch Enable L2TP Server Off. Click Accept <-- important
    3. Switch Enable L2TP Server On Click Accept <-- important

    That's it. Switch Off. Accept. Switch On. Accept.

    You may have to make the following change first:

    1. Go to the IPSEC VPN Rules and Setting page
    2. Edit the WAN GroupVPN policy
    3. On the Proposals tab, change the DH Group to something like Group 2 and Encryption to something like 3DES. Ideally, I wanted Group 14 and AES-256
    4. Do the L2TP Server Off-Accept-On-Accept steps above
    5. Try out your L2TP connection. If it works, then try a higher DH Group and/or Encryption level. Try one at a time increasing the Group and/or Encryption, repeating the Off-Accept-On-Accept steps after each change.

    Something is probably getting written to data tables on the back-end with the Off-Accept-On-Accept steps so that L2TP will work, despite that on the GUI everything looks fine. This is why I'm convinced it's a bug.

    YMMV.

    Let me know if it works for you.

    Scott

  • I have the exact same issue. A couple months ago I moved from the TZ400 to the TZ370 and my L2TP no longer connects; all the settings are the same. Both on the original and latest firmware.

    I opened a ticket 6 weeks ago and multiple techs verified everything over and over; they even created a new account so they could try it from "their" IOS device and same issue. I tried the disable/enable idea above but no luck.

    Their latest is that is must be my ISP and want to close the case.

Sign In or Register to comment.