Tarkisal
asked on
Failed VPN on Sonicwall to Cisco
I am getting an error I have never seen before on my firewall. I'm trying to establish a tunnel from my Sonicwall NSA 3500 to a Cisco ASA. It establishes Phase 1 fine but then it tries and immediately fails to connect to Phase 2. The message I get is:
Deleting IPsec SA (Phase 2) and then "Incompatible with older firmware" in the notes. Both devices are on the latest general firmware releases so I'm not sure why I would be getting this error. These devices were linked at one point in the past but that connection was removed. Now they need to be connected again. I have several other tunnels working properly on my device at this time.
Please see attached file for specific log error.
sonicwall.jpg
Deleting IPsec SA (Phase 2) and then "Incompatible with older firmware" in the notes. Both devices are on the latest general firmware releases so I'm not sure why I would be getting this error. These devices were linked at one point in the past but that connection was removed. Now they need to be connected again. I have several other tunnels working properly on my device at this time.
Please see attached file for specific log error.
sonicwall.jpg
ASKER
Thanks for the response. I changed the lifetime down to 3600 and reset the tunnel but I'm still getting that same error. The other party's device has a default of something higher - I think it's like 86400 seconds. I had tried setting mine to that number but the error remained.
Has anything changed regarding the proposals on either end? The Lifetimes should definitely match so make them match either at 86400 or 28800. Also, make sure Enable Keep Alive is checked in the Advanced tab.
ASKER
The proposals are the same. I believe it may have something to do with a NAT setup on the remote client's side. When they give me the NAT address starting with 172.30 I can't access it and I get that error message listed above. However, when he gives me a direct number starting with 10.88 the tunnel shows as up and I don't get that error.
Are you listing the Default Gateway correctly in both tunnels?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Though the responses I got were very helpful they did not touch on the right solution. This was most likely due to not enough information available.
Most likely a mismatch of SA lifetime. The IPSEC is hardwired to an SA lifetime of 28800 seconds.
Reset the Lifetime value for both Phase 1 & 2 , in the Proposals tab of the GroupVPN Policy, to 28800, and let me know if that resolves the issue.
Also, make sure Enable Keep Alive is checked in the Advanced tab.