TZ 370 IPSec Site2Site VPN not working - Invalid Syntax
I have previously had a working IPSec site2site VPN between my TZ500 and a Unifi USG firewall with no issues at all.
The thing is though, I have upgraded my TZ500 to a new TZ370 and I simply cannot get the IPSec site2site VPN to work at all between my TZ370 and the Unifi USG firewall.
TZ370 is running SonicOS 7.0.1-R1262 which is the last available FW at mysonicwall.com
I have tried the following without success.
Exported the config from TZ500 and migrated it with https://migratetool.global.sonicwall.com/ and then imported it to TZ370, no working VPN.
Did a factory reset on TZ370 and setup everything, from scratch but still not working VPN.
3. Tried many different things with the IPSec config without any luck.
I gets these errors on my TZ370 as below, any suggetions on how to solve this?
IKEv2 Received notify error payload and VPN Policy: test; Invalid Syntax
The funny thing is, If I connect my old TZ500 the IPSec VPN is working as expected.
Thank you for visiting SonicWall Community.
As per your description, it looks to be an issue on the TZ 370. I have seen this similar issue before and the issue needs real-time assistance.
I would recommend you to seek help from our support team as per below web-link for support phone numbers.
Technical Support Advisor - Premier Services
Can you share here your Unifi USG firewall and your Sonicwall site tosite VPN tunnel configuration?
Payload processing failed indicates there is a mismatch of proposals during phase 1 or phase 2 negotiation between a site-to-site VPN.
@MartinMP if you search for older posts regarding OS7 your problem was already seen.
It seeams that there is something really bad in the Software. So the basic functions do cause such issues ?
Like one guy said - we should buy another 1 or 2 year License to Gen6
i was lucky when i imported the config file from TZ300 in the TZ370 directly not with that migrate tool...
Yes these settings below are from my TZ500 which are working just fine with USG firwall.
Same settings on TZ370 (not working)
Settings on Unifi USG firewall, works fine with TZ 500
Have searched a lot as well as read in the forum, it is a bit disappointing that simple things do not work properly.
Also discovered another bug, if you switch to classic view and then navigate to "Network" and click on "Zones" then you are logged out from the Sonicwall TZ 370 and it jumps back to login screen. It is only possible to edit Zones if you using the new gui design in SonicOS 7.0 ->Object -> Zones.
@MartinMP i checked with my (homeoffice) TZ370
Same here click on Zones - logged out !
isnt´that scary ?
Yeah it is frustrating indeed🙄
Hi @MartinMP @ThK , have you raised the issue with the Classic menu and Zones to SonicWall support?
@preston no not yet. I have to admit that I have other problems to solve. Fight around with the WCM portal and SSO from cloud.sonicwall.com
but I hope that the moderators will finally forward the countless posts about OS7 to the developers.
Have unfortunately not had time yet, but will soon do it.
Just a short update on my troubleshooting, I took a backup of my current settings from TZ370 which ran FW 7.0.1-R1262
Downgraded to R906 and then imported my settings, and boom the IPSEC VPN worked!
The conclusion must be to downgrade firmware if you want to use VPN 🧐
Had a thought about the VPN issues. Running a 570 on R1262, no issues with the few VPN tunnels, BUT I do set the following to be inline with my tunnel configs.
Network \ IPSec VPN \ Advanced \ IKEv2 Settings \ IKEv2 Dynamic Client Proposal.
I can confirm that I have the same issue on a new NSa 2700. I tried setting up IKEv2 tunnels to both a Fortigate and a Watchguard, neither tunnel would come up. The fortigate kept complaining about malformed payloads.
Switching to Ikev1 helped.
The interface in general is buggy as well, I keep getting error messages saying "An error has occured", and clicking the Policies tab is hit-or-miss. Clicking on sections again, like the firewall policies, can help them load.
In addition, I spent an hour on the phone with support when I installed the device, since it was routing all the traffic down a black hole. In the end, a restart (the second one, I restarted before calling support) fixed that.
I just want to leave a final comment. We had a site-to-site VPN from a Sonicwall TZ470 to Cisco ASA. We kept getting "IKEv2 Received notify error payload" "Invalid Syntax" messages. We verified the IKE phase 1 and phase 2 settings. Finally, I rolled back the firmware image from 7.0.1-R1262.bin.sig to 7.0.0-R906.bin.sig, That fixed the VPN. The tunnel came online immediately. I may try the latest image 7.0.1-R1456.bin.sig soon, as it was just released.
We have the same problem on our side
Except that ... it's between a TZ470 and a Nsa2600
TZ470 with firmware 7.0.1-R1262 fail to set up an IPSec tunnel with the Nsa2600 (firmware 22.214.171.124-83n)
Log on the TZ and Nsa = Phase 2 TimeOut
We have to put firmware 7.0.0-R906 on the TZ470 for it to work ...
Have you tested the new version 7.0.1-R1456 ????
Nothing is indicated in the release note on this subject
Thank you for your answers
WE recently bought TZ270 and installed on one of our test sites, had problems with publishing the websites to internet via NAT and IPsec site-to-site VPN. Lowering the MTU size in WAN interface seems to resolve both issues
I made the mistake of upgrading my new TZ370 to R1456 immediately - before trying it out with our IPsec VPN we had been using on the TZ300 it replaced. The VPN did not work. After seeing this discussion, I downgraded the new TZ370 back to R906 and the VPN worked like it had been working on the old TZ300.
The problem with IPSec VPN still occurs in the latest firmware release (7.0.1-5018).
A downgrade to R509 solves the problem. IPSec works fine.
Thanks for the post. I was having issues on a Site-to-Site ipsec vpn tz370<-->tz300.
I can confirm the latest firmware of the tz370 as today 01-13-2022 (7.0.1-5030) still have the same issue connecting to an old Sonicwall TZ300 on a site-to-site VPN .
Downgrading the tz370 to 7.0.0-R906 solved the issue for me.
Wow, this has to be the most frustrating thing in the world...upgraded all TZ300 to TZ370 and now I spend all my time troubleshooting the stupid VPN tunnels dropping and not re-establishing connection after one FW restarts. What a bunch of crap this is...and no, I haven't opened a ticket with support because I like to waste my time thinking I'm smarter than everyone else...not to mention, I have yet to have a so-called SW engineer resolve any problem I've had with configuration and troubleshooting. Support isn't what it used to be (and has certainly never come close to that of a Cisco platform...it's a shame that equipment is over-priced and complicated). Anyways, I stumble across this last entry, dated January 13, 2022 and what do I see? The same exact problem (only after upgrading from 300s to 370s) with the same exact resolution...the only difference is, I no longer have 300s in play and now, in less than a month, I'm now dealing with another VPN tunnel that won't re-establish itself after one FW gets restarted (on purpose, by accident, unplugging or initiating a restart through the interface). Maybe I'll open yet another ticket...seeing how the last one I opened (unable to remove "non-existent" gold image and configuration from a 370 that was acquired by the secure upgrade program), I won't hold my breath that these so-called engineers can resolve my BIG problem.
Gotta love going back to a firmware revision that exists by way of this new series introduction as being the solution...what's the point in releasing new firmware if the previous and the previous to that and that and that doesn't fix anything?
invalid syntax usually means PSK mismatch. But you send to screenshot is same everything. I think you should inform sonicwall support. they will send to development engineers this issue
Yes you're right, thinking Sonicwall is aware of all these bugs.
I must honestly admit I am not further impressed by the new Sonicwall, preserved the new graphic design is nice, but what does it help when the stability lags or is completely lacking.
My own TZ370 has been running for almost 70 days, without any error until yesterday where I lost connection to the internet.
I then tried to login on the sonicwall web interface, but it was not accessible at all.
Even client was not able to pull an IP from the DCHP server (Sonicwall)
Only way to solve it, was a hard reboot. These bugs are very frustrating and annoying my old TZ500 was much more stable than this.
Hi @MartinMP ,
I understand you; last version of sonicwall makes big trouble for us.
In fact, I have been sped more than 15 years with sonicwall technology all of products. I have told all of this time sonicwall must transition to new gui and Unified Policy Management like OSX7 however this transition is very ver bad. I can say alots of thing about this. but I know sonicwall won't care this.
I think, they changed OS into the sonicwall firewall. before version 7 sonicwall was using Vxworks.They changed High Availibility infrastructures, Packet stream processes are different than version 6,
anyway, I hope Sonicwall fix immediatly these faults.
Have nice day
Another day, another round of fighting these TZ370W's...according to the included, I can fix it by updating the firmware to a higher version! But wait, doing so breaks the VPN tunnel. It's like a merry-go-round that never stops. Sigh.
@abhits try the new firmware 5050 , worked for me