Troubleshooting TZ 180 Configuration and Settings Issues
23
SonicWALL TZ 180 Recommends Guide
Symptom: General, Phase 1, and Phase 2 Settings All Seem Correct on Both Sides
but It Still Does Not Negotiate
There may be something in between the two VPN devices that is blocking communication. This can be hard
to determine, since portions of the network path between the two VPN devices may lie underneath the
control of external parties.
If this is the case, verify that NAT Traversal is enabled on both SonicWALL security appliances, and that
any firewall, router or NAT security appliance in between is configured to pass UDP port 500 and UDP port
4500. If one of the sides is not a SonicWALL security appliance, it is also necessary to open UDP port 500
and IP type 50, since NAT Traversal may not negotiate with the third-party security appliance.
Symptom: The VPN tunnel Negotiated and Both Sides Show the Tunnel as Up, but I
Cannot Reach Anything on Either Side of the Tunnel from the Other Side,
Respectively
This problem can be the result of several factors, described below.
DHCP MTU Issues
If the SonicWALL security appliance WAN interface is receiving an IP address dynamically using DHCP, it
may be necessary to lower the WAN interface MTU. DHCP is common among cable ISPs, and many of them
require unconventionally low MTU settings.
Log into the SonicWALL security appliance management interface, navigate to the
Network > Settings
page, click on the
Configure
icon next to the WAN interface. On the page that displays, click the
Ethernet
tab, change the
WAN MTU
from 1500 to 1404, then click
OK
.
User-Level Authentication
Check the
Advanced
settings for the VPN policy to ensure that this feature is off (there are two checkboxes
for
Require Authentication of
Local Users
and
Require Authentication of Remote Users
.
TCP Settings
Some applications do not work with the default TCP enforcement settings on the SonicWALL. It may be
necessary to deactivate one or more of these settings on both sides of the VPN tunnel.
Log into the SonicWALL security appliance management interface. Modify the management interface URL
from
/main.html
to
/diag.html
, which opens the Diagnostics Settings Menu. When this menu displays,
click on the
Internal Settings
button to the left and uncheck the box next to
Enable TCP Handshake
Enforcement
. Click the
Apply
button in the upper-right-hand corner then click on the
Close
button in the
lower-left-hand corner to return to the management interface.
Note
In newer versions of SonicOS Standard, the checkbox for
Enable TCP Handshake
Enforcement
is located on the
Firewall > Advanced
page.
Hardware Accelerated Cryptographic Miscalculations
If the VPN tunnel negotiates successfully but still does not pass traffic across the VPN tunnel, and the log
is filled with
IPSec Authentication Failed
messages, the onboard hardware cryptographic acceleration
chip may have not be processing traffic correctly.
To remedy this, log into the SonicWALL security appliance management interface.Modify the management
interface URL from
/main.html
to
/diag.html
, which opens the Diagnostics Settings Menu. When the
menu displays, click on the
Internal Settings
button to the left. On this menu, uncheck the boxes next
Enable inbound VPN hardware acceleration (if available)
and
Enable outbound VPN hardware
acceleration (if available)
.