[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Failed VPN on Sonicwall to Cisco

Posted on 2014-02-10
Medium Priority
Last Modified: 2014-02-19
I am getting an error I have never seen before on my firewall. I'm trying to establish a tunnel from my Sonicwall NSA 3500 to a Cisco ASA. It establishes Phase 1 fine but then it tries and immediately fails to connect to Phase 2. The message I get is:
Deleting IPsec SA (Phase 2) and then "Incompatible with older firmware" in the notes. Both devices are on the latest general firmware releases so I'm not sure why I would be getting this error. These devices were linked at one point in the past but that connection was removed. Now they need to be connected again. I have several other tunnels working properly on my device at this time.

Please see attached file for specific log error.
Question by:Tarkisal
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39848554
Hi Tarkisal,

Most likely a mismatch of SA lifetime. The IPSEC is hardwired to an SA lifetime of 28800 seconds.

Reset the Lifetime value for both Phase 1 & 2 , in the Proposals tab of the GroupVPN Policy, to 28800, and let me know if that resolves the issue.

Also, make sure Enable Keep Alive is checked in the Advanced tab.

Author Comment

ID: 39848575
Thanks for the response. I changed the lifetime down to 3600 and reset the tunnel but I'm still getting that same error. The other party's device has a default of something higher - I think it's like 86400 seconds. I had tried setting mine to that number but the error remained.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39848584
Has anything changed regarding the proposals on either end? The Lifetimes should definitely match so make them match either at 86400 or 28800. Also, make sure Enable Keep Alive is checked in the Advanced tab.
Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Author Comment

ID: 39854557
The proposals are the same. I believe it may have something to do with a NAT setup on the remote client's side. When they give me the NAT address starting with 172.30 I can't access it and I get that error message listed above. However, when he gives me a direct number starting with 10.88 the tunnel shows as up and I don't get that error.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39859791
Are you listing the Default Gateway correctly in both tunnels?

Accepted Solution

Tarkisal earned 0 total points
ID: 39859800
We finally figured out the problem. The configuration was wrong on the remote site. It turned out to be built in the wrong order which caused the issue. The admin had built the cryptomap first and the static NAT after and for whatever reason this caused the error. By reversing this process it connected normally. I still don't know what the original firmware error was from - perhaps it was because it saw a problem with the configuration?

In any case thanks to everyone for their help.

Author Closing Comment

ID: 39869815
Though the responses I got were very helpful they did not touch on the right solution. This was most likely due to not enough information available.

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question