Link to home
Create AccountLog in
Avatar of tamaneri
tamaneri

asked on

Sonicwall to Sonicwall VPN - half working

Hey guys.

I have a hardware to hardware SonicWALL vpn configured. It was working fine for the past month. Client calls me up and tells me they can't access one of the servers on the remote network. I am able to communicate over the VPN, just not to a particular IP address on the remote network.

One of the VPN connection logs states that everything is fine. However, the other firewall has errors like this:

1  03/31/2011 10:17:51.336 Error VPN IKE Payload processing failed 68.236.208.20, 500 75.99.107.170, 500 Payload Type: SA  
2  03/31/2011 10:17:51.336 Warning VPN IKE IKE Responder: IKE proposal does not match (Phase 1) 68.236.208.20, 500 75.99.107.170, 500 VPN Policy:  
3  03/31/2011 10:17:51.336 Warning VPN IKE IKE Responder: Proposed IKE ID mismatch 68.236.208.20, 500 75.99.107.170, 500 VPN policy does not exist for peer IP address: 68.236.208.20  
4  03/31/2011 10:17:51.336 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) 68.236.208.20, 500 75.99.107.170, 500  


First of all, the IP 68.236.208.20 I do not recognize at all. I have no idea how that IP got into this equation. Again, despite these errors, I am able to ping the other firewall over the VPN and ping/connect to a server with internal IP 198.176.10.250. But I cannot communicate with 198.176.10.253 which is the server I really need to communicate with.

Anyone have any ideas? Shit is stupid.
Avatar of tamaneri
tamaneri

ASKER

For instance in the logs it states: VPN policy does not exist for peer IP address: 68.236.208.20

that IP is not configured on either of my firewalls any where. It makes no sense. I have no idea where that IP is coming from!

My 2 firewalls have IPs: 75.99.107.170 and 67.151.199.98
Anyone have any ideas?

I'm assuming this could have something to do with the fact that I am using NAT, I just dont know how to resolve it....
Avatar of Carl Dula
The 68.236.208.20 address is on a verizon net. Could just be in the route from site to site. If you drop the tunnel and reinitiate, is the problem the same?
Yes it is. Still able to communicate with the majority of the remote network, just not the particular internal IP i want to connect to. That particular internal address is using NAT on the firewall. But again, it's been working for well over a month I dont understand why it would stop working without any changes having been made.

Is there something particular I need to do to communicate with that IP based on the fact that it does have a static public IP and also a few services (smtp, pop3, etc etc).
I also completely recreated the tunnel. Same issue unfortunately.
Did you try pinging that one pc? Do the other services you mention still work?
The other services are still working properly. I have Ping enabled as a service... unable to ping it :(

My one firewall is 192.168.1.1 and I can ping the remote firewall 198.176.10.5.

From 198.176.10.5 I can ping 192.168.1.1.

One of our servers is 198.176.10.250 which I can ping 192.168.1.1 from, and from 192.168.1.1 I can ping/connect to 198.176.10.250.

Other server is 198.176.10.253 which I cannot ping 192.168.1.1 from, nor can I ping 198.176.10.253 from 192.168.1.1.

Makes no sense to me! Is it because I have service configured for the 198.176.10.253 and public IP configured for it?
Can you get someone at the other end on that pc do the following.
1. Try to ping the firewall at their end
2. Try to ping the firewall at you end
3. Try to ping the system you are using

My guess is that the return route via the VPN tunnel has gone away.

You could also do a traceroute from you system to the subject pc, and see how far you get.
I am remotely connected to the server over there that I am having troubles with (the one I want to communicate with but cannot).

1) From the trouble server (198.176.10.253) I am able to ping the local 198.176.10.5 (firewall) without issue
2) From the trouble server (198.176.10.253) I am unable to ping 192.168.1.1 (remote firewall)
3) From working server (198.176.10.250) I am able to ping both 198.176.10.5 and 192.168.1.1
4) If I run a tracert from (198.176.10.253) I get 30 hops of timeouts.

There are many computers (198.176.10.150-170) that I am able to communicate without issue as welll from the 192.168.1.1 network.

I removed all of my services/access rules etc for 198.176.10.253 and the issue still remains.
A tracert from the PC I am on to 198.176.10.253 also gives me 30 hops of timeouts.
ASKER CERTIFIED SOLUTION
Avatar of Carl Dula
Carl Dula
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer