Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8988
  • Last Modified:

VPN handshake timeout on Sonicwall

i have a TZ 170 Sonicwall that has site to site VPNs to 5 of our remote locations. on Friday, one of the VPNs went down and I can't get it back up.

the sonicwall on the other end is a soho3/10

no changes had been made to either sonicwall when the VPN went down. however, that warehouse had their internet go out. their internet is back up (they can surf the web), but the VPN is not coming back up.

i went through and deleted the VPN configuration in both Sonicwalls and set it back up. still, no change.

in the soho3/10, i can see in the log where it's trying to establish the VPN and then timing out. in my tz170, i do not see this in the log...

my assumption is that this is an internet issue. that warehouse's internet is very slow...
but i'm not sure why i'm not seeing attempts to establish a VPN in my log (perhaps i don't have it configured properly to record that kind of event).

is there a way to verify that this is an internet issue? it only makes sense to me because the problem started after their internet went out...

i've done a traceroute, but i'm not sure how long a VPN handshake waits before it times out...

here is what i'm seeing in the log of the soho3/10:
09/30/2007 11:01:48.192 - IKE Initiator: Start Main Mode negotiation (Phase 1) - Source: - Destination: - -
09/30/2007 11:01:54.192 - IKE Initiator: No response - remote party timeout - Source:, 500 - Destination:, 500 - -
zephyr_hex (Megan)
zephyr_hex (Megan)
  • 4
  • 2
  • 2
1 Solution
Thats a network issue.

Check Network connectivity between the units. Check to make sure if you are able to ping or connect to the remote gateway IP. Has the Gateway IP changed? how about checking from the other site (if connectible)
Disable this SA box is not checked in SA of IKE Responder.
IPSec Gateway address in Initiator SA specifies WAN address of IKE Responder
IPSec Gateway Name (if used) resolves to WAN address of IKE Responder
IKE Access Rules are enabled on both SonicWALLs.
No other firewalls in path blocking IKE (UDP 500) or IPSec (IP 50) protocols.
Contact ISP to see if they are blocking IKE (UDP 500) or IPSec (IP 50) protocols.
zephyr_hex (Megan)DeveloperAuthor Commented:
ping is successful both ways (i can ping my WAN ip from a computer in their network, and i can ping their WAN ip from my computer)

traceroute is successful.
ftp is successful from a computer on their network to my FTP server.

VPN is not disabled.  i have even deleted the config and reconfig'd it.  and i just restored the config from a backup i made earlier this month.  no dice.

there is no firewall blocking transmission on my end because the sonicwall appliance is the gateway.  however, at their end they have a belkin dsl router that sits in front of the sonicwall.  i'm wondering if a new config was downloaded to that appliance when the internet went out on Friday.  i can ping that appliance. how do i test if it's blocking ports i need?
zephyr_hex (Megan)DeveloperAuthor Commented:
nevermind on that last question.  i'm sure their dsl router is not blocking required ports.  when i restored the VPN config from backup, it re-enabled 3 other VPN tunnels.  so i'm sure that their sonicwall is not broken, and i'm sure that there is no firewall blocking VPN tunnels.

unfortunately, i don't need any of those 3 other VPN tunnels.  the one tunnel i do need is the one that isn't coming up.

what else could be causing this?  could it really be a timeout issue?  i'm assuming the handshake waits for a response and times out at some point...  do we know that threshold?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

The connection fails in Phase1 negotiation.

And the error message is clearly a timeout. How about the logs on the peer device? You say you can ping so there isnt a routing issue. Are both the devices finding the right gateways. This is a very simple mistake that anyone can make. I havent done a VPN on a sonic but have you checked the Proxy IDs (if this is a route based VPN)
David Scott, MCSENetwork AdministratorCommented:
have you gone to the diag page of the soho and tried to ping a website ?  that way you can make sure the soho has internet connection.  

is that a new modem?  i think some of those belkins come with router/firewall functionality.  can you get to the login page of the belkin?  if so login and check in there to see if any ports are being blocked.  or you could try telnetting to a port on it  (telnet ip port)
zephyr_hex (Megan)DeveloperAuthor Commented:
all equipment has been in use, with no changes for over a year

the VPN was down, but internet was not.
i could not get a log in page from the belkin, but i could ping it.  i suspect the ISP has blocked log in since the appliance is theirs.

i ended up resolving the issue by disabling the IKE Dead Client detection option.  it was set to 60 seconds with 3 attempts.  i just totally disabled it and the VPN came up.

i think their internet service has slowed to such a crawl that the handshake responses were timing out.  the ISP is working on the speed issue.  in the meantime, it seems that disabling the dead client detection has stopped it from timing out due to slow response times.
David Scott, MCSENetwork AdministratorCommented:
glad to hear you got it working
zephyr_hex (Megan)DeveloperAuthor Commented:
ha.  as with many things in the IT world, it was only temporary.
it went down again
have been working with the ISP because i'm pretty sure this is their issue.  they are replacing their modem and may have to clear the line of static...

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now