Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ 270 - 7.0.1-R1262 - VPN Tunnel Issues?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

a newly deployed TZ 270 is giving me a hard time with VPN Tunnel. A connection to another TZ 500 worked fine for a couple of hours, but suddenly it stopped, I still need to investigate if this is P1/P2 lifetime related. It ended in "Remote Party Timeout" messages on both sides.

Usually with disabling/enabling the connections on both sides it could be fixed for the moment, but not in this case. I had to restart the TZ 270 to get it working again.

Are there any known problems for IKEv2 between Gen7 and Gen6? While the problem occured I switch to IKEv1 Main Mode, but no luck without reboot either.

One thing to be noted, the TZ 270 is behind a WAN router having the TZ 270 as Exposed Host (NAT ALL, you guessed it right, Fritz!Box).

--Michael@BWC

Category: Entry Level Firewalls
Reply

Answers

  • JR2021JR2021 Newbie ✭

    YES!

    We have a newly deployed TZ500w that was running firmware 7.0.0-R713, and we put up a S2S tunnel to Azure without trouble. After we upgraded to 7.0.1-R1262, our tunnel promptly went down. I recreated it, tried doing a tunnel interface, tried recreating the pieces on the Azure end, and nothing worked for us.

    I downgraded to 7.0.0-R906 and the tunnel immediately went back up. I don't know what might have changed in the latest firmware, and I'm not tech savvy enough to track down the cause, but I figured I'd pipe in and let you know that I'm having VPN trouble with this firmware release, too.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    discussion there seems to indicate VPN tunnel issues with R1262

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi guys,

    this makes total sense, I have a few Gen7 Appliances in the field, still running R906 and no VPN related complaints so far. I advised my customers not to update to R1262 until this is verified.

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi,

    first things first, other customers running R1262 von TZ 270 and 670 reported no general VPN related problems.

    But I'am having trouble with one specific deployment between a TZ 270 and a TZ 500. Whenever the TZ 500 is executing the WAN schedule down-time (daily at 2:59 AM for a minute) the TZ 270 is logging the expected:

    IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request.
    

    Around 03:00 AM the WAN link on the TZ 500 is back and all other VPN connections to the TZ 500 are working again, except the one to the TZ 270. These messages got logged over and over again the Tunnel never comes back, until the TZ 270 gets rebooted.

    IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request.
    IKEv2 Responder: Received IKE_SA_INIT Request
    IKEv2 Accept IKE SA Proposal
    IKEv2 NAT device detected between negotiating peers
    IKEv2 Responder: Send IKE_SA_INIT response
    IKEv2 Peer is not responding. Negotiation aborted.
    

    Is there any way to solve this? The TZ 500 working fine, it's the TZ 270 which causes trouble at the moment.

    I'am not on-site and remote testing is limited, maybe setting a WAN schedule on the TZ 270 can work-around the problem, but that would be no real solution.

    --Michael@BWC

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Had a thought about the VPN issues. Running a 570 on R1262, no issues with the few VPN tunnels, BUT I do set the following to be inline with my tunnel configs.

    Network \ IPSec VPN \ Advanced \ IKEv2 Settings \ IKEv2 Dynamic Client Proposal.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @TKWITS the Policy in that case is not using the Dynamic Client Proposal, because both sides having static IP addresses. But did you experienced any trouble having the Dynamic Client Proposal not on-par with the Policy Propoal, despite not using it?

    I disabled the WAN schedule on the remote-side, so no forced reconnect at 03:00 AM, VPN connection is still working, so I can say for sure it's at least triggered by the reconnect.

    --Michael@BWC

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    @BWC Having the Dynamic Client Proposal settings different from the tunnels makes no difference. Was a thought.

  • DavidTDavidT Newbie ✭

    I can confirm that I have the same issue on a new NSa 2700. I tried setting up IKEv2 tunnels to both a Fortigate and a Watchguard, neither tunnel would come up. The fortigate kept complaining about malformed payloads.

    Switching to Ikev1 helped.

    The interface in general is buggy as well, I keep getting error messages saying "An error has occured", and clicking the Policies tab is hit-or-miss. Clicking on sections again, like the firewall policies, can help them load.

    In addition, I spent an hour on the phone with support when I installed the device, since it was routing all the traffic down a black hole. In the end, a restart (the second one, I restarted before calling support) fixed that.

  • RyanHRyanH Newbie ✭

    Having the same problem. Upgraded new TZ570 from 7.0.0 to 7.0.1-R1262 and now my IKEv2 tunnel interface to Azure will not work no matter what I can do. Any word on resolution?

  • @RyanH, this should be fixed in the release that just came out.

  • JohnGJohnG Newbie ✭

    We have had all kinds of VPN problems with R1262. Sonicwall keeps telling us it's not a firmware issue, but I believe it is.

  • ThKThK Cybersecurity Overlord ✭✭✭

    have a brand new NSA2700 replacing our NSA2650. On 8 June my services will be expired.

    I did not import any old config to get a good response from the new OS.

    First i connected to out 3 WAN Lines to internet and than updated to R1269.

    Next i spend the complete afternoon to get the VPN to my homeoffice a TZ370 with FW 1456 configured. One of 30 !!!!

    I was not lucky in the end - only frustrated. Now i update the NSA2700 also to 1456. Same !

    Now i destroyed the NSA2700 by importing the 2650 config.

    ----

    i have to drive now to my office and replug the 2650 to get on business agin. What a mess !

    -----

    HOW MANY postings are needed to give us an ear. The nuber of issues described here shoud be commented from SONICWALL !

    Now !

    and in the description of 1456 no one word about this vpn desaster.


    --Thomas🤯

  • RyanHRyanH Newbie ✭

    I can confirm the latest firmware resolved this issue for me.

    It did not resolve some other issues I'm having with the Gen7 device sadly.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @JR2021 @DavidT @RyanH @ThK @BWC Have your IPsec issues gone away with the latest firmware? I have been on the sidelines looking at this disaster and I'm still on 7.0.0 on my only Gen 7 device. Safe to upgrade? This unit has a tunnel to Azure which must stay up at all times.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SonicAdmin80 I'am running 7.0.1-5030 on all of my deployments at the moment and VPN-wise is running fine. But no specific Azure experience over here, plain vanilla Tunnel Interfaces to other SNWLs.

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @BWC great to hear. Hopefully booting to previous firmware works without wiping in case I need to downgrade. I just added the TZ670 to GMS and I’m seeing RAM exhaustion now which causes reboots. I hope the latest firmware fixes it.

Sign In or Register to comment.