background image

Troubleshooting TZ 180 Configuration and Settings Issues 

21

SonicWALL TZ 180 Recommends Guide

If the SonicWALL security appliance logs display 

NO_PROPOSAL_CHOSEN

IKE proposal does not 

match

, or 

IKE negotiation aborted due to timeout

, the Phase 1 settings are probably incorrectly set on 

one or both sides. Most settings in the 

Proposals

 tab of the VPN policy must exactly match on each side, 

and if they do not match exactly, the tunnel fails in Phase 1 and Phase 2. The exception to this rule the 

Life 

Time 

setting; if these do not match, the VPN policy negotiates using the lower of the two settings

Figure 13

 

provides an example of Phase 1 setting.

Figure 13

VPN Policy Phase 1 Settings 

If you have implemented the troubleshooting solutions to this point with no success, there may be 
something between the two VPN devices that is blocking communication. If this is the case, verify that NAT 
Traversal is enabled on both SonicWALL security appliances, and that any firewall in between is set to pass 
UDP port 500 and UDP port 4500. If one of the sides is not a SonicWALL security appliance, it is necessary 
to open UDP port 500 and IP type 50, since NAT Traversal may not negotiate with the third-party security 
appliance.

Содержание TZ 180

Страница 1: ...COMPREHENSIVE INTERNET SECURITY SonicWALL TZ 180 Recommends Guide SonicWALL Internet Security Appliances...

Страница 2: ...SonicWALL Recommends Guide Recommended Solutions for the SonicWALL TZ 180 SonicOS 3 8 Standard and Enhanced...

Страница 3: ......

Страница 4: ...leshooting 18 VPN Troubleshooting 19 Internet Connectivity Troubleshooting 25 Firmware Update Troubleshooting 26 SonicWALL Solutions Integration 27 SonicWALL Security Services 27 SonicWALL Backup and...

Страница 5: ...ii SonicWALL TZ 180 Recommends Guide...

Страница 6: ...for TZ 180 Running SonicOS Standard section on page 9 This section provides instructions for configuring security settings for the TZ 180 security appliance and its nterfaces Troubleshooting TZ 180 C...

Страница 7: ...section on page 17 Symptom I Am Having Registration Problems with the TZ 180 section on page 18 Symptom I Cannot Get Site to Site VPN to Work section on page 19 Symptom I Do Not Have Internet Access...

Страница 8: ...Topology Figure 1 SonicWALL TZ 180 Sample Network Topology SSL VPN 200 link act 10 100 Local Area Network Wireless Local Area Network SonicWALL Security Services SonicWALL TZ 180 Remote Client SonicP...

Страница 9: ...SSL encrypted for confidentiality and no sensitive or private data is exchanged Note Turn off pop up blockers on your Web browser when accessing MySonicWALL Web site or the management interface of yo...

Страница 10: ...out the fields when prompted A registration code is generated Step 7 Navigate to the System Status page on the appliance management interface Under Security Services your registration code in the fie...

Страница 11: ...re updating the firmware on the TZ 180 security appliance always perform these steps Create a backup store the current settings store a copy of the current firmware and record the details of the appli...

Страница 12: ...ular basis Refer to SonicWALL Backup and Recovery Solutions section on page 28 for information about how a SonicWALL CDP appliance to perform this task If any problems occur restore using the backup s...

Страница 13: ...small switch in for about 20 seconds until the wrench light on the front of the TZ 180 flashes then release it The security appliance is now in SafeMode For more information on SafeMode refer to the...

Страница 14: ...ministrator name Navigate to the System Administration page and change the Administrator Name Make a note of your new administrator name Change the password to something complex for example a combinat...

Страница 15: ...o allow this check the boxes to allow NetBIOS broadcast for LAN to DMZ and DMZ to LAN Microsoft networking relies on NetBIOS broadcasts to identify and register network resources such as servers and p...

Страница 16: ...s page and audit user entries at least once a month to verify there are not inappropriate accounts Also enforce the use of complex passwords and require users to change passwords on a regular basis Th...

Страница 17: ...icOS Standard 3 8 Administrator s Guide Keep backups Store known good preferences and firmware in a safe place that is accessible in the event of problems with the appliance and verify the appliance i...

Страница 18: ...a Unique Public IP Address to the Resource on the OPT Interface page 16 Symptom Internal Users Are Having Problems Accessing the Server on the OPT Port page 16 Symptom Users Across a Site to Site VPN...

Страница 19: ...es Look Fine page 25 Firmware Update Troubleshooting page 26 Symptom I Want to Update the Firmware on the TZ 180 page 26 DMZ OPT Port Troubleshooting Symptom I Am Having Problems Installing a Public S...

Страница 20: ...it creates the necessary rules for NAT firewall and loopback the special rule that allows internal resources to contact the server on the OPT interface using its WAN IP address Verify that the OPT Int...

Страница 21: ...addresses it does not enable connectivity Symptom Internal Users Are Having Problems Accessing the Server on the OPT Port Create a loopback rule to allow internal users on the LAN interface to access...

Страница 22: ...a concurrent basis and not on a per user basis which means while you may have 40 unique users installed if you only had a 10 user GVC license only 10 of those users could connect at once Determine the...

Страница 23: ...g mechanism such as WINS Active Directory DNS or static HOSTS LMHOSTS files for the GVC The easiest solution is to provide the appropriate WINS and DNS entries in the DHCP scope and to use the Virtual...

Страница 24: ...to Work For a VPN tunnel to successfully negotiate a number of settings must exactly match on both sides otherwise the tunnel fails to negotiate The following is a list of settings to verify on both s...

Страница 25: ...rated in Figure 11 in the VPN policy s General tab Figure 11 SonicOS Enhanced VPN Policy Aggressive Mode Using UFIs Navigate to the VPN policy General tab verify that the IPSec Keying Mode is set the...

Страница 26: ...tting if these do not match the VPN policy negotiates using the lower of the two settings Figure 13 provides an example of Phase 1 setting Figure 13 VPN Policy Phase 1 Settings If you have implemented...

Страница 27: ...he lower of the two settings Figure 14 provides a view of the Life Time field Incorrect destination network s If an incorrect destination exists for example if one side of the connection has Keep Aliv...

Страница 28: ...1500 to 1404 then click OK User Level Authentication Check the Advanced settings for the VPN policy to ensure that this feature is off there are two checkboxes for Require Authentication of Local Use...

Страница 29: ...oing to be constrained by the ADSL connection speed and also by any traffic flowing in and out of that connection at any time for example if there is someone at the remote office downloading data in h...

Страница 30: ...is an increasingly common issue as ISPs provide xDSL and cable modem equipment with all in one functionality You may need to purchase a generic xDSL or cable modem and swap out the ISP equipment if it...

Страница 31: ...rd and SonicOS Enhanced are incompatible and problems can arise if the proper upgrade procedure is not followed It is necessary to purchase a SonicOS Enhanced license If you do not install the SonicOS...

Страница 32: ...ecurity services your network can be protected in a manner of minutes Figure 15 provides the recommended deployment of SonicWALL security services with the TZ 180 security appliance To purchase and ac...

Страница 33: ...threats but also against those originating inside the network SonicWALL Gateway Anti Virus Anti Spyware and Intrusion Prevention Service closes potential back doors by inspecting ba multitude of emai...

Страница 34: ...recovery of your TZ 180 Backup remote users using GVC As long as remote users can connect using SonicWALL GVC to the TZ 180 security appliance they can synchronize their monitored folders and applicat...

Страница 35: ...your internal servers and many other network devices from anywhere they need to home on the road from a public Internet kiosk and other remote locations all without the need to install or constantly u...

Страница 36: ...e 18 provides an example of the recommended deployment Configure your internal SMTP server to forward outgoing mail to the ES server and modify existing NAT rules so that incoming SMTP mail is forward...

Страница 37: ...deployment in any network You can add extensive wireless capability to your TZ 180 security appliance by upgrading to SonicOS Enhanced which allows you to install up to eight SonicPoint or SonicPoint...

Страница 38: ...anti virus anti spyware intrusion prevention and content filtering all from a single console SonicWALL GMS enables organizations to reduce staffing requirements speed deployment and lower costs GMS co...

Страница 39: ...Standard Administrator s Guide available at http www sonicwall com us support SonicOS_Standard_3 8_Administrator s_Guide pdf For detailed information on configuring SonicOS Enhanced refer to the Sonic...

Страница 40: ...phone numbers listed in Table 2 Table 2 SonicWALL Worldwide Support Phone Numbers Country Toll free number Local toll number Calling from North America United States 1 888 777 1476 Canada 1 888 777 14...

Страница 41: ...at Web http www sonicwall com email sales sonicwall com Phone 408 745 9600 Fax 408 745 9300 United Arab Emirates 8000 4411 869 United Kingdom 0800 0280 488 31 0 411 617 811 All other countries 31 0 4...

Страница 42: ...cations and descriptions subject to change without notice Trademarks SonicWALL is a registered trademark of SonicWALL Inc Microsoft Windows 98 Windows NT Windows 2000 Windows XP Windows Server 2003 In...

Страница 43: ...Obtaining Technical Support 38 SonicWALL TZ 180 Recommends Guide...

Страница 44: ...ed herein may be trademarks and or registered trademarks of their respective companies Specifications and descriptions subject to change without notice T 1 408 745 9600 SonicWALL Inc 1143 Borregas Ave...

Отзывы: