?
Solved

Sonical Wall VPN IKE Error Payload processing failed?

Posted on 2011-10-25
19
Medium Priority
?
15,761 Views
Last Modified: 2012-06-21
# Time Priority Category Message Source Destination Notes Rule
1 10/25/2011 10:08:45.784 Error VPN IKE Payload processing failed 65.118.219.216, 500 72.166.1.158, 500 VPN Policy: DataCenter; Payload Type: NOTIFY:

In My Firewall, I am seing this messag over and over.

Our Remote Location tends to drop signal alot, which led me to the firewall.
I am not sure if the above error is latency driven of if I have a leigimate network debug error to resolve.

I check VPN protocols and keys and they are identical.

Any ideas?

# Time Priority Category Message Source Destination Notes Rule
1 10/25/2011 10:08:45.784 Error VPN IKE Payload processing failed 65.118.219.216, 500 72.166.1.158, 500 VPN Policy: DataCenter; Payload Type: NOTIFY:
0
Comment
Question by:ParisBP
  • 10
  • 9
19 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 37029155
You should be seeing more VPN events within the logs. If you are not, then we probably need to increase the logging. To do so, go to Log > Categories. Make sure the logging level is Debug (which it is by default). Then, check the top box of each column to check everything. Then, save the settings and go back to the log. Based on the link below, you should see WHY the payload processing fails.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3817
0
 
LVL 33

Expert Comment

by:digitap
ID: 37029157
Oh, and if it is a bug, then you'll want to make sure you're at the latest firmware for both Sonicwalls.
0
 

Author Comment

by:ParisBP
ID: 37040971
II took your steps and of course, NO packets dropped now for some reason.

Will give it 24 hoiurs aand report back.

Thanks so the lead.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 33

Expert Comment

by:digitap
ID: 37041191
Interesting. Then, it's possible the ISP was just having some trouble on the line. Maybe it won't come back.
0
 

Author Comment

by:ParisBP
ID: 37041215

That is what started me on this issue. Hoping there is a little tweak., but we do not have the best ISP connection at this location. Its not exactly in a "Techy" location
0
 
LVL 33

Expert Comment

by:digitap
ID: 37041249
That may well be what the issue is. Is it DSL or Cable? Have you considered checking your MTU on the WAN interface. If it's wrong, you'll drop packets which may cause you issues. I wrote an article on finding this out with the sonicwall appliance and configuring it. See the link below.

http://bit.ly/peAVjT
0
 

Author Comment

by:ParisBP
ID: 37041262
Its a T1 1.5m so It really shouldn't drop. I will read the logs and look at your MTU suggestion.

thanks some more.
0
 
LVL 33

Expert Comment

by:digitap
ID: 37041405
Yeah...you're right. T1 should be fine. The problem I've had with T1 connections is the speed duplex on the WAN. I had to set them static to something like Full/100MB.
0
 

Author Comment

by:ParisBP
ID: 37045390
We are set for full-duplex and still no errors since I added the full logs.
This is worse than fishing. gotta wait it out.
0
 
LVL 33

Expert Comment

by:digitap
ID: 37045465
hehehe...indeed and I'll add that I'm not very good at fishing.
0
 

Author Comment

by:ParisBP
ID: 37045963
Ok. I am not seeing the payload issue, but Somewhere in here we lost the connection.

Any ideas from this?
debug.docx
0
 
LVL 33

Expert Comment

by:digitap
ID: 37046313
I see some things, but I don't see where the VPN was re-nogiated. You should see where it goes through Phase 1 and Phase 2 negotiations. So, not seeing the VPN re-negotiate, I don't see right before that which might indicate why the VPN dropped.

I can see that you might be pinging between 130.100.0.8 and 192.168.3.25 over the VPN and back again. I also see that you have keep alive enabled on your VPN policy which is OK. Something to note about that specifically, you should only enable it on one policy and leave it disabled on the policy for the other end.
0
 

Author Comment

by:ParisBP
ID: 37046333
Like I said I don't think We are dropping but am tryign to split the hairs.

Enabling policy only on one side? Home base or remote?

Appreicate the help, as this isn't a straight resolution
0
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 37046370
I understand. Re keep alive, if one end of the VPN has a DHCP configuration for the WAN interface, then you need to configure that end with keep alive. Obviously, the other end would be static and would not know when the WAN IP changed unless you were using DynDNS or something.

Anyway, if both ends are static, then you can simply choose whichever end you want. It really makes no difference. I'm offering knowledge about keep alive and not really certain that this will resolve the network drop issues.
0
 

Author Comment

by:ParisBP
ID: 37046383
yeah a tricky one.. I tihnk there isn't a clean solution, but will accpet you walking all thru this as the solution..: )

0
 

Author Closing Comment

by:ParisBP
ID: 37046387
Thanks,
0
 
LVL 33

Expert Comment

by:digitap
ID: 37046405
I certainly appreciate the points. If you have any additional questions about this particular issue (since it's not an exact solution), please don't hesitate to post back.
0
 

Author Comment

by:ParisBP
ID: 37046420
Will do... And Actually the solution was to make sure it wasn't the firewall and we did that..LOL

Better than fishing !!
0
 
LVL 33

Expert Comment

by:digitap
ID: 37046510
indeed!
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question