ntwj
asked on
Sonicwall to Sonicwall VPN
I have two offices with a sonicwall at each location configured as a VPN tunnel. The remote office has a dynamic public IP. Therefore, the Security Assocation at the home office must have an IP of 0.0.0.0
In this configuration, they will not connect, even when it is the remote office initiating the connection.
But, when I look at the home office status screen it shows me the current dynamic ip of the remote office. If I key that address into the SA of the home office Sonicwall, they connect fine. I cannot leave this address keyed in though because it will likely be different the next day.
What am I doing wrong?
In this configuration, they will not connect, even when it is the remote office initiating the connection.
But, when I look at the home office status screen it shows me the current dynamic ip of the remote office. If I key that address into the SA of the home office Sonicwall, they connect fine. I cannot leave this address keyed in though because it will likely be different the next day.
What am I doing wrong?
ASKER
Incoming and Outgoing SPIs are the same (which is ok). We are using Manual Key.
Like I say, when we key in the current dynamic ip of one sonicwall into the other, we connect instantly.
I wondered if other setup information is checked (for security reasons) if one sonicwall is set as 0.0.0.0 and that it is not checked if the IP's are static and agree.
thanks again.
Like I say, when we key in the current dynamic ip of one sonicwall into the other, we connect instantly.
I wondered if other setup information is checked (for security reasons) if one sonicwall is set as 0.0.0.0 and that it is not checked if the IP's are static and agree.
thanks again.
>I wondered if other setup information is checked (for security reasons) if one sonicwall is set as 0.0.0.0 and that it is not checked if the IP's are static and agree.
I don't understand this sentence. Can you rephrase it?
We use Manual Key with dynamic IPs all the time and have never experienced what you are. Have you changed anything in the Advanced Settings?
I'm sure this is OK, but you may want to double-check that the IP address is correctly entered (not 0.0.0.0) in the VPN settings on the remote SonicWALL.
Also, under the log settings, you may try to check the two VPN related checkboxes on both boxes and see if the logs tell you anything.
Are you using the most current firmware?
Is there a NAT device in front of the dynamic SonicWALL?
Jeff
I don't understand this sentence. Can you rephrase it?
We use Manual Key with dynamic IPs all the time and have never experienced what you are. Have you changed anything in the Advanced Settings?
I'm sure this is OK, but you may want to double-check that the IP address is correctly entered (not 0.0.0.0) in the VPN settings on the remote SonicWALL.
Also, under the log settings, you may try to check the two VPN related checkboxes on both boxes and see if the logs tell you anything.
Are you using the most current firmware?
Is there a NAT device in front of the dynamic SonicWALL?
Jeff
ASKER
To rephrase my previous comment:
I was thinking that if both Sonicwalls had static IPs and could be manually entered into the SA of the other sonicwall, then (for example) Unique Firewall Identifier would be irrelevent.
It is my understanding that the Unique Firewall Identifier must match the SA name of the other unit, but if the IP's were static and manually entered then the SA Name might be ignored.
I was wondering if there were any other settings that were used for security reasons if the unit was dynamic (ie 0.0.0.0) but were ignored if the units were static.
I hope that makes more sense.
Yes, just downloaded the current firmware yesterday.
Yes, there is a NAT device in front of the sonicwall and it has the actual dynamic IP address.
More Info.....
This has been working for two years. Two weeks ago we noticed the VPN was down but could still had internet access. After a couple of days, the VPN came back up. Then Wednesday (today is friday) it went down again. This is why I updated firmware.
We have another office which was dynamic also but it never went down. They both connect to the same home office VPN. Now that I've updated the firmware at the home office. Both office's VPNs went down. We fixed on because it actually has a static IP. The other (the one that's down now) is DSL and is dynamic.
There is a NAT device in front at both remote offices but has worked fine for two years. Is there a change in the latest firmware that would stop this?
I was thinking that if both Sonicwalls had static IPs and could be manually entered into the SA of the other sonicwall, then (for example) Unique Firewall Identifier would be irrelevent.
It is my understanding that the Unique Firewall Identifier must match the SA name of the other unit, but if the IP's were static and manually entered then the SA Name might be ignored.
I was wondering if there were any other settings that were used for security reasons if the unit was dynamic (ie 0.0.0.0) but were ignored if the units were static.
I hope that makes more sense.
Yes, just downloaded the current firmware yesterday.
Yes, there is a NAT device in front of the sonicwall and it has the actual dynamic IP address.
More Info.....
This has been working for two years. Two weeks ago we noticed the VPN was down but could still had internet access. After a couple of days, the VPN came back up. Then Wednesday (today is friday) it went down again. This is why I updated firmware.
We have another office which was dynamic also but it never went down. They both connect to the same home office VPN. Now that I've updated the firmware at the home office. Both office's VPNs went down. We fixed on because it actually has a static IP. The other (the one that's down now) is DSL and is dynamic.
There is a NAT device in front at both remote offices but has worked fine for two years. Is there a change in the latest firmware that would stop this?
> It is my understanding that the Unique Firewall Identifier must match the SA name...
Yes, that's true if one end of the VPN is a dynamic IP. If two static IPs are used, then the Firewall Identifier doesn't matter - just as you stated. However, as a matter of practice, we always make the name match. Additionally, we also make the name on the Log Settings tab match, and we never use spaces in our names.
> I was wondering if there were any other settings...
None that I know of.
> Yes, there is a NAT device in front of the sonicwall...
This probably isn't the problem, but SonicWALL's tech support pages warn that it will sometimes cause a problem. We try to avoid NAT devices in front but also have never had any problems when they are there.
> Two weeks ago we noticed the VPN was down but could still had internet access...
Starting around the time your problem began, some ISPs began blocking traffic that they never did before because of the Blaster worm. I wonder if this could be a problem? Maybe put a call in to both your ISPs and ask them.
> Both office's VPNs went down...
I'm a little confused. Do you have three locations, one static and two dynamic? And even though the first dynamic was having problems with the static, the two dynamics were communicating correctly? Until you updated the firmware, then the two dynamics joined the first dynamic and the static in having problems?
A couple more questions:
Have you updated the firmware everywhere?
Have you tried IKE?
Have you double-checked your router to make sure that nothing has changed? There was a post on a mail list today that Adelphia had "secretly" changed their customers' routers to block ICMP recently. I doubt that they are the only ISP to do so.
Jeff
Yes, that's true if one end of the VPN is a dynamic IP. If two static IPs are used, then the Firewall Identifier doesn't matter - just as you stated. However, as a matter of practice, we always make the name match. Additionally, we also make the name on the Log Settings tab match, and we never use spaces in our names.
> I was wondering if there were any other settings...
None that I know of.
> Yes, there is a NAT device in front of the sonicwall...
This probably isn't the problem, but SonicWALL's tech support pages warn that it will sometimes cause a problem. We try to avoid NAT devices in front but also have never had any problems when they are there.
> Two weeks ago we noticed the VPN was down but could still had internet access...
Starting around the time your problem began, some ISPs began blocking traffic that they never did before because of the Blaster worm. I wonder if this could be a problem? Maybe put a call in to both your ISPs and ask them.
> Both office's VPNs went down...
I'm a little confused. Do you have three locations, one static and two dynamic? And even though the first dynamic was having problems with the static, the two dynamics were communicating correctly? Until you updated the firmware, then the two dynamics joined the first dynamic and the static in having problems?
A couple more questions:
Have you updated the firmware everywhere?
Have you tried IKE?
Have you double-checked your router to make sure that nothing has changed? There was a post on a mail list today that Adelphia had "secretly" changed their customers' routers to block ICMP recently. I doubt that they are the only ISP to do so.
Jeff
ASKER
Sorry for the confusion:
We have three offices. One is the home office with a 50 user SOHO2. Two are remote offices with 5 user TELE3's.
The home office is static. Both remote offices were setup as dynamic even though one was actually static. By that I mean we had 0.0.0.0 in the home office SA for that location. The static location is Cable inet access and the dynamic location is DSL.
Two weeks ago, the DSL location's VPN went down. The cable location stayed up. (remember, the home office SOHO had 0.0.0.0 in both SA's)
We worked with the DSL location and all by itself, it came back on-line after about 2 days. Then Wednesday, the DSL location VPN went down again. The cable location stayed up.
I downloaded firmware 6.4.2 on the home office. After reconfiguration, both the DSL and the cable location VPNs were down. I manually entered the static IP of the cable location and it came backup on-line.
Neither remote office can connect while using 0.0.0.0. Both can connect when I key in their IP addresses. The cable location is static so I can leave it keyed in. The DSL location is dynamic so it will fail as soon as the IP address changes, which will probably happen after being down all this weekend.
Firmware is:
Home Office 6.4.2.0
Cable Location 6.3.1.0
DLS Location 6.0.1.1
I hope that helps.
I'll be offline until tomorrow so I won't be able to respond until then. Thanks for you help and patience.
ntw
We have three offices. One is the home office with a 50 user SOHO2. Two are remote offices with 5 user TELE3's.
The home office is static. Both remote offices were setup as dynamic even though one was actually static. By that I mean we had 0.0.0.0 in the home office SA for that location. The static location is Cable inet access and the dynamic location is DSL.
Two weeks ago, the DSL location's VPN went down. The cable location stayed up. (remember, the home office SOHO had 0.0.0.0 in both SA's)
We worked with the DSL location and all by itself, it came back on-line after about 2 days. Then Wednesday, the DSL location VPN went down again. The cable location stayed up.
I downloaded firmware 6.4.2 on the home office. After reconfiguration, both the DSL and the cable location VPNs were down. I manually entered the static IP of the cable location and it came backup on-line.
Neither remote office can connect while using 0.0.0.0. Both can connect when I key in their IP addresses. The cable location is static so I can leave it keyed in. The DSL location is dynamic so it will fail as soon as the IP address changes, which will probably happen after being down all this weekend.
Firmware is:
Home Office 6.4.2.0
Cable Location 6.3.1.0
DLS Location 6.0.1.1
I hope that helps.
I'll be offline until tomorrow so I won't be able to respond until then. Thanks for you help and patience.
ntw
How are things going?
In your previous post, you didn't address my last few questions. Here they are again:
Have you updated the firmware everywhere? Also, v6.5 is out. It may be worth a try.
Have you tried IKE?
Have you double-checked your router to make sure that nothing has changed? There was a post on a mail list today (Friday) that Adelphia had "secretly" changed their customers' routers to block ICMP recently. I doubt that they are the only ISP to do so.
Jeff
In your previous post, you didn't address my last few questions. Here they are again:
Have you updated the firmware everywhere? Also, v6.5 is out. It may be worth a try.
Have you tried IKE?
Have you double-checked your router to make sure that nothing has changed? There was a post on a mail list today (Friday) that Adelphia had "secretly" changed their customers' routers to block ICMP recently. I doubt that they are the only ISP to do so.
Jeff
ASKER
Firmware versions are
Home Office 6.4.2.0
Cable Location 6.3.1.0
DSL Location 6.0.1.1
The DSL location is the one I'm most concerned about so I can try upgrading it. It is a 45min drive so I'm not sure if I can get their today or not. They are running because I've entered their dynamic IP address as a static IP address in the home office SA.
I could try IKE. I tried it two years ago when we first set this up and never got it to work. I then tried manual and it worked.
I have checked the router settings and all looks ok. I think, though, that if the VPN works with the remote IP keyed into the home office SA then all it set right. Maybe not?
(I'm setting up a new home office/remote office today. This is a different client all together. The remote is DSL with a dynamic address, so I'll be curious how it works. All of my other clients using Sonicwalls have static IP's at both locations so I've never had a problem.)
I'll keep you up to date. Thanks, again.
Nathan
Home Office 6.4.2.0
Cable Location 6.3.1.0
DSL Location 6.0.1.1
The DSL location is the one I'm most concerned about so I can try upgrading it. It is a 45min drive so I'm not sure if I can get their today or not. They are running because I've entered their dynamic IP address as a static IP address in the home office SA.
I could try IKE. I tried it two years ago when we first set this up and never got it to work. I then tried manual and it worked.
I have checked the router settings and all looks ok. I think, though, that if the VPN works with the remote IP keyed into the home office SA then all it set right. Maybe not?
(I'm setting up a new home office/remote office today. This is a different client all together. The remote is DSL with a dynamic address, so I'll be curious how it works. All of my other clients using Sonicwalls have static IP's at both locations so I've never had a problem.)
I'll keep you up to date. Thanks, again.
Nathan
You can update the firmware remotely - no need to drive. We do it this way all the time. Updating the firmware is the first thing I would try. At the moment, you have two different versions of the VPN software running. There were a lot of updates between 6.0.1.1 and 6.4.2.0. That could be a problem.
It's probably worth seeing what would happen with IKE. I don't know why it would be any different, but it could work.
Call the ISPs and ask them if anything changed around the date you started having problems. It's worth a phone call and may even answer your question.
Jeff
It's probably worth seeing what would happen with IKE. I don't know why it would be any different, but it could work.
Call the ISPs and ask them if anything changed around the date you started having problems. It's worth a phone call and may even answer your question.
Jeff
As long as you have a static address on the home office soho2, using 0.0.0.0 on the tele3s will work....but you need to make some changes.........we had similar problems on dsl connections, but they were resolved by switching to "IKE, using preshared secret" and setting Encryption to "Strong Encrypt and Authentication (ESP 3DES HMAC SHA1)..........give that a try, you might find you have a solid connection.
Of course, the easy work around would be to get a static ip from your ISP
Of course, the easy work around would be to get a static ip from your ISP
PS, under "Exchange" set to "Aggresive Mode" rather than "Main Mode"
Is your problem resolved? No feedback from you since 9/3/03
ASKER
No, the problem is not resolved. They are only running because I have the dynamic IP address of the remote office keyed into the sonicwall of the home office as if it were static. It has changed once over the past couple of weeks and we had to key in the new dynamic IP.
I just setup a new office for a whole new client using a static home office and a dynamic remote office and it worked fine so it must be something with this particular setup.
My next step is to update the firmware at the remote office. They are on 6.0.1.1.
I just setup a new office for a whole new client using a static home office and a dynamic remote office and it worked fine so it must be something with this particular setup.
My next step is to update the firmware at the remote office. They are on 6.0.1.1.
Making sure both Sonicwalls are on the same firmware is an important step. Have you tried my suggestions above? Problems like this are often related to the vagaries of a particular ISP and whatever packet filtering they are doing.......please give it a try.
It has been a while. How did the firmware update go?
Jeff
Jeff
ASKER
Hey,
I am still here. I fact I left a message with the tech guy at the remote office to coordinate the firmware upgrade. I'll stay in touch.
Nathan
I am still here. I fact I left a message with the tech guy at the remote office to coordinate the firmware upgrade. I'll stay in touch.
Nathan
ASKER
This is still a pending question. I am trying to schedule with my client to do the firmware upgrade at the remote site. We are still running with the sonic wall setup with a static IP even though the remote site has a dynamic IP. The remote site's IP has not changed yet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also the reconfiguration of the vpn itself.....have seen this problem several times.
True, reconfiguring the VPN may be necessary. However, from the author's 08/29/2003 02:15PM CDT response:
"I downloaded firmware 6.4.2 on the home office. After reconfiguration, both the DSL and the cable location VPNs were down. I manually entered the static IP of the cable location and it came backup on-line."
So I would be VERY surprised if updating the other devices did not solve the problem.
Jeff
"I downloaded firmware 6.4.2 on the home office. After reconfiguration, both the DSL and the cable location VPNs were down. I manually entered the static IP of the cable location and it came backup on-line."
So I would be VERY surprised if updating the other devices did not solve the problem.
Jeff
ASKER
Sorry Guys,
My client hired an inhouse computer guy who really is just a web designer. The problem still exists but they no longer call me so who cares, right?
I will gladly split the points between jeff and conchie if that is OK?
My client hired an inhouse computer guy who really is just a web designer. The problem still exists but they no longer call me so who cares, right?
I will gladly split the points between jeff and conchie if that is OK?
Hi ntwj,
Thansk for posting back.
Please award points as you see fit. My suggestions are just that, a suggestion :-)
Thanks
What90
EE Cleanup Volunteer
Thansk for posting back.
Please award points as you see fit. My suggestions are just that, a suggestion :-)
Thanks
What90
EE Cleanup Volunteer
Use aggressive mode!!
Just remember that the Incoming SPI at the host location is the Outgoing SPI and the remote location and vice-versa.
Good luck,
Jeff