Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Sonicwall TZ210 DH group reverts from 2 to 1

Posted on 2013-11-21
11
Medium Priority
?
460 Views
Last Modified: 2013-12-11
My sonicwall TZ210 periodically changes the DH group from 2 to 1 on one of the VPN connections. Is there a reason why?
0
Comment
Question by:penguins_rule
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 3
11 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39666748
What is the client using to connect to the SonicWall VPN?

Do you have "Enable Perfect Forward Secrecy" enabled?
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39667941
Hi penguins_rule,

Upgrade the firmware and retest.
0
 
LVL 1

Author Comment

by:penguins_rule
ID: 39669500
Client has a Cisco ASA 5505
Enable Perfect Forward Secrecy is not enabled
Current firmware version is SonicOS Enhanced 5.5.1.0-5o

It's not convenient to upgrade the firmware unless it is really necessary.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 13

Expert Comment

by:Ugo Mena
ID: 39669821
Are you using Certificates or a preshared secret for IKE Policy?

Do you know what version ASA release client is running?

In general, I think you have an IKEv2 policy that is falling back to IKEv1 due to an IKEv2 incompatible device...
0
 
LVL 1

Author Comment

by:penguins_rule
ID: 39669900
The connection works fine for several weeks at a time.
Then the DH Group reverts back to 1 on the Sonicwall. The client using the Cisco ASA 5500 cannot connect until the Sonicwall is changed back to DH group 2

Using IKE preshared key
ASA release client is not readily attainable
0
 
LVL 13

Accepted Solution

by:
Ugo Mena earned 1000 total points
ID: 39670322
I was under the assumption that your Site to Site VPN was still working through the DH Group change and figured it might be an IPSEC negotiated fallback to IKEv1.
 
After looking into release notes for your specific firmware version, I will second diverseit's recommendation to upgrade the firmware.

Version 5.9.0.1-100o is the current version for TZ200 series, released Sept 5, 2013.

Version 5.5.1.0-5o was released Oct 5, 2009 and was determined to have a variety of Known Issues with VPN's specifically.

Nothing calls out your DH group change issue outright, but it seems like the most likely cause at this point is the firmware version.
0
 
LVL 26

Assisted Solution

by:Blue Street Tech
Blue Street Tech earned 1000 total points
ID: 39670428
It's not convenient to upgrade the firmware unless it is really necessary.
It's not only a Best Practice to keep your firmware up-to-date but it's a very simple process even in a production environment - total downtime 1-2m - do it over lunch. The current firmware release is 5.9.0.2-107o - you should backup your settings and upgrade to that. The reason to do this is it fixes any bugs and/or compatibility issues that may exist - your firmware is heavily out of date.

Are you seeing anything in the logs talking about IKE Responder: IKE proposal does not match (Phase 1), or IKE Responder: IPSec Proposal does not match (Phase 2)?

The initiating SonicWALL sent an IPSec proposal that does not match the responding SonicWall during Phase 2 negotiations. There should be an additional error message in the responder log specifying the proposal item that did not match.

Sometimes you will see this error when you have a site-to-site VPN in Aggressive mode. In this setup, it usually means the name of the VPN SA was not the same as the Unique Firewall Identifier (UFI) of the device on the other side. Each side must be the same as the UFI of the device on the opposite end.

Let me know how it goes!
0
 
LVL 1

Author Comment

by:penguins_rule
ID: 39675001
thanks for your help. I will schedule an upgrade to the firmware. it may take a few weeks, i will post how it goes.
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39675006
No problem...we'll be here for you!
0
 
LVL 1

Author Comment

by:penguins_rule
ID: 39708601
upgraded the firmware to the current version. On the reboot with current firmware, the DH group was changed from 2 to 1. I will have to wait and see if it changes again.
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39712359
That is nothing to worry about on the onset. Sometimes for compatibility reasons settings slightly change especially when going from deprecated firmware versions to new core releases.

I'd change it all to DH2 and then restart the SonicWALL. Everything should be OK thereafter.

Let me know how it goes!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question