Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

TZ 370 IPSec Site2Site VPN not working - Invalid Syntax

MartinMPMartinMP Newbie ✭
edited April 28 in Entry Level Firewalls

Hi all

I have previously had a working IPSec site2site VPN between my TZ500 and a Unifi USG firewall with no issues at all.

The thing is though, I have upgraded my TZ500 to a new TZ370 and I simply cannot get the IPSec site2site VPN to work at all between my TZ370 and the Unifi USG firewall.

TZ370 is running SonicOS 7.0.1-R1262 which is the last available FW at mysonicwall.com

I have tried the following without success.

1.

Exported the config from TZ500 and migrated it with https://migratetool.global.sonicwall.com/ and then imported it to TZ370, no working VPN.


2.

Did a factory reset on TZ370 and setup everything, from scratch but still not working VPN.


3. Tried many different things with the IPSec config without any luck.


I gets these errors on my TZ370 as below, any suggetions on how to solve this?

IKEv2 Received notify error payload and VPN Policy: test; Invalid Syntax


The funny thing is, If I connect my old TZ500 the IPSec VPN is working as expected.


Kind regards

Martin

Category: Entry Level Firewalls
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @MARTINMP,

    Thank you for visiting SonicWall Community.

    As per your description, it looks to be an issue on the TZ 370. I have seen this similar issue before and the issue needs real-time assistance.

    I would recommend you to seek help from our support team as per below web-link for support phone numbers.


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @MARTINMP,

    Can you share here your Unifi USG firewall and your Sonicwall site tosite VPN tunnel configuration?

    Payload processing failed indicates there is a mismatch of proposals during phase 1 or phase 2 negotiation between a site-to-site VPN.

  • ThKThK Cybersecurity Overlord ✭✭✭

    @MartinMP if you search for older posts regarding OS7 your problem was already seen.

    It seeams that there is something really bad in the Software. So the basic functions do cause such issues ?

    Like one guy said - we should buy another 1 or 2 year License to Gen6

    i was lucky when i imported the config file from TZ300 in the TZ370 directly not with that migrate tool...

    --Thomas

  • MartinMPMartinMP Newbie ✭

    Yes these settings below are from my TZ500 which are working just fine with USG firwall.

    Same settings on TZ370 (not working)


    Settings on Unifi USG firewall, works fine with TZ 500


    Have searched a lot as well as read in the forum, it is a bit disappointing that simple things do not work properly.

    Also discovered another bug, if you switch to classic view and then navigate to "Network" and click on "Zones" then you are logged out from the Sonicwall TZ 370 and it jumps back to login screen. It is only possible to edit Zones if you using the new gui design in SonicOS 7.0 ->Object -> Zones.

  • ThKThK Cybersecurity Overlord ✭✭✭

    @MartinMP i checked with my (homeoffice) TZ370

    Same here click on Zones - logged out !

    isnt´that scary ?

    --Thomas

  • prestonpreston Enthusiast ✭✭

    Hi @MartinMP @ThK , have you raised the issue with the Classic menu and Zones to SonicWall support?

  • ThKThK Cybersecurity Overlord ✭✭✭
    edited April 30

    @preston no not yet. I have to admit that I have other problems to solve. Fight around with the WCM portal and SSO from cloud.sonicwall.com

    but I hope that the moderators will finally forward the countless posts about OS7 to the developers.

  • MartinMPMartinMP Newbie ✭
  • MartinMPMartinMP Newbie ✭

    Just a short update on my troubleshooting, I took a backup of my current settings from TZ370 which ran FW 7.0.1-R1262

    Downgraded to R906 and then imported my settings, and boom the IPSEC VPN worked!

    The conclusion must be to downgrade firmware if you want to use VPN 🧐


  • TKWITSTKWITS All-Knowing Sage ✭✭✭✭

    Had a thought about the VPN issues. Running a 570 on R1262, no issues with the few VPN tunnels, BUT I do set the following to be inline with my tunnel configs.

    Network \ IPSec VPN \ Advanced \ IKEv2 Settings \ IKEv2 Dynamic Client Proposal.

  • DavidTDavidT Newbie ✭
    edited May 25

    I can confirm that I have the same issue on a new NSa 2700. I tried setting up IKEv2 tunnels to both a Fortigate and a Watchguard, neither tunnel would come up. The fortigate kept complaining about malformed payloads.

    Switching to Ikev1 helped.

    The interface in general is buggy as well, I keep getting error messages saying "An error has occured", and clicking the Policies tab is hit-or-miss. Clicking on sections again, like the firewall policies, can help them load.

    In addition, I spent an hour on the phone with support when I installed the device, since it was routing all the traffic down a black hole. In the end, a restart (the second one, I restarted before calling support) fixed that.

  • RealITCareRealITCare Newbie ✭
    edited June 4

    I just want to leave a final comment. We had a site-to-site VPN from a Sonicwall TZ470 to Cisco ASA. We kept getting "IKEv2 Received notify error payload" "Invalid Syntax" messages. We verified the IKE phase 1 and phase 2 settings. Finally, I rolled back the firmware image from 7.0.1-R1262.bin.sig to 7.0.0-R906.bin.sig, That fixed the VPN. The tunnel came online immediately. I may try the latest image 7.0.1-R1456.bin.sig soon, as it was just released.

  • Ach49Ach49 Newbie ✭
    edited June 8

    We have the same problem on our side

    Except that ... it's between a TZ470 and a Nsa2600

    TZ470 with firmware 7.0.1-R1262 fail to set up an IPSec tunnel with the Nsa2600 (firmware 6.5.4.7-83n)

    Log on the TZ and Nsa = Phase 2 TimeOut

    We have to put firmware 7.0.0-R906 on the TZ470 for it to work ...

    Have you tested the new version 7.0.1-R1456 ????

    Nothing is indicated in the release note on this subject


    Thank you for your answers

  • NimodaBandaraNimodaBandara Newbie ✭

    WE recently bought TZ270 and installed on one of our test sites, had problems with publishing the websites to internet via NAT and IPsec site-to-site VPN. Lowering the MTU size in WAN interface seems to resolve both issues

  • sewelldevsewelldev Newbie ✭

    I made the mistake of upgrading my new TZ370 to R1456 immediately - before trying it out with our IPsec VPN we had been using on the TZ300 it replaced. The VPN did not work. After seeing this discussion, I downgraded the new TZ370 back to R906 and the VPN worked like it had been working on the old TZ300.

    Thanks!

  • MarcelKMarcelK Newbie ✭

    The problem with IPSec VPN still occurs in the latest firmware release (7.0.1-5018).

    A downgrade to R509 solves the problem. IPSec works fine.

Sign In or Register to comment.