L2TP VPN Connection Failing on TZ670 with SonicOS 7.0.0-R906
Edit: Mods: Please move this to the appropriate Category -- probably "Mid Range Firewalls"
I just replaced our NSA2600 with a TZ670.
I copied over the EXACT VPN settings from the NSA2600 to the new TZ670.
My users cannot connect with L2TP VPN, they get this error in Windows:
"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer."
L2TP VPN was working perfectly fine on the NSA2600, but with the EXACTLY SAME settings, L2TP VPN does not work on the TZ670 with firmware SonicOS 7.0.0-R906
I have also tried the knowledgebase articles for setting up L2TP VPN server and checking Windows settings for the connection, and I've checked that I have the HKLM PolicyAgent key in the Registry. As I said, L2TP VPN on our Windows computers was working fine with the NSA2600, but does not work with the TZ670.
I’m sorry to hear about this inconvenience.
@shiprasahu93, @Saravanan, @John_Lasersohn: have we seen this before or would you recommend opening a support ticket 🎫 for real time troubleshooting?
Appreciate you! 🙏🏻
@micah - SonicWall's Self-Service Sr. Manager
Thanks @Micah , I hope the SonicWALL team can advise what to do.
Have you or your team tested L2TP VPN with SonicOS 7.0.0-R906? If you have and are able to get it to work, could you please post your settings? The settings I'm using are copied from my NSA2600, but I'm more than happy to try settings that you or the SonicWALL team use to get it to work.
I tried testing L2TP on R906 on a TZ 370 and see that the packets are being dropped as 'fails to handle L2TP pkt'. I am not sure if it is the same case on your firewall, but this definitely needs to go through a support ticket.
Technical Support Advisor, Premier Services
Thank you for testing @shiprasahu93
Are you sending this to SonicWALL support for fixing, or is this something I need to report?
Seems to me that if it comes from you, it would have more priority.
Hello @scottkeen - It is always good to have a support case open for this sort of thing, and once you posted the case number, we can use it as a training exercise for the case owner, who will either find a solution or create a ticket for Engineering to fix it. and @shiprasahu93 can work with them, or I can, to make sure it gets the proper attention. I hope this helps.
Thanks. I opened a new case.
Should I post the case # number here in this community forum?
I just recently PM'd you requesting the case number.
@micah - SonicWall's Self-Service Sr. Manager
@Micah Just got both your messages. I'll PM the case number to you. Thanks.
were you able to get a resolution on this?
Not from SonicWALL support. I spent 10 hours with 2 different SonicWALL tech support people, going round-and-round in circles, not making any progress whatsoever. The last thing they suggested was to reset my TZ 670 in a production environment to factory defaults and try L2TP! Are you kidding me! It's in a production environment!
I insisted that the problem is with the firmware, and SW support was unable to prove otherwise, yet they did not want to refer this to SW Development. Since that was not going to happen, I said to note that the issue was Unresolved if they close the case.
That said, I think I figured out the fix on my own. I'm convinced it's a firmware bug, as I suspected. I wish SW tech support referred this to SW Development who would have probably discovered the bug.
How am I convinced it's a bug in the firmware? Because I have (2) TZ 670 units in two different physical locations with different ISPs (one is Cox, one is Cogent) and they both have the same issue with L2TP not working, even with copying the same exact WAN GlobalVPN and L2TP settings from the NSA 2600.
How else am I convinced it's a bug in the firmware? Because after decades in IT I know that what "makes sense" doesn't always work and you have to do something that doesn't make sense to make it work.
So here is how I got it to work. YMMV
That's it. Switch Off. Accept. Switch On. Accept.
You may have to make the following change first:
Something is probably getting written to data tables on the back-end with the Off-Accept-On-Accept steps so that L2TP will work, despite that on the GUI everything looks fine. This is why I'm convinced it's a bug.
Let me know if it works for you.
I have the exact same issue. A couple months ago I moved from the TZ400 to the TZ370 and my L2TP no longer connects; all the settings are the same. Both on the original and latest firmware.
I opened a ticket 6 weeks ago and multiple techs verified everything over and over; they even created a new account so they could try it from "their" IOS device and same issue. I tried the disable/enable idea above but no luck.
Their latest is that is must be my ISP and want to close the case.