05-20-2011 12:02 PM
I followed the instructions at http://www.fuzeqna.com/sonicwallkb/consumer/kbdeta
On both the sonicwall and the juniper the tunnels show as up. On the juniper it shows active and link as up. The command get sa shows the status as a/u.
I realize the instructions above are for a juniper with a slightly different os version but i followed them as best i could.
Does anyone have any ideas? or troubleshooting steps i would take?
Solved! Go to Solution.
05-20-2011 03:38 PM
I have about 50 Sonicwall to SSG tunnels running fine. So they do work together. From the sound of the symptoms there is probably something wrong with the policies on one or both sides. Here are a few thoughts.
I notice the instructions tell you to use the all local subnets object in the sonicwall addresses. This can create multiple local network objects for the tunnel. You probably want to use the lan primary subnet object as a single address. Be sure not to pick the lan primary IP which is just the interface address.
I also notice they have explict proxy id configured on the sonicwall policy. I never use those and just leave it blank.
On the SSG side confirm the address objects have the correct networks and in the right zones.
Here is the troubleshooting tree for a VPN that comes up and does not pass traffic. You are using a policy VPN in the tech note you list.
05-20-2011 04:19 PM
I assume you mean the Peer IKE ID? i don't see proxy id on the sonicwall?
I'm not sure what you mean when you say i should use the " lan primary subnet object as a single address?" The only choices i see are lan subnets and the lan interface ip. Should i create a new address object?
05-20-2011 04:31 PM
Sorry about that, yes I meant peer not proxy.
05-21-2011 08:42 AM
what about " lan primary subnet object as a single address"? i don't quite understand what you mean since by definition a subnet is a range of ip addresses and not a single address?
05-21-2011 11:34 AM
Sonicwall enhanced OS uses address objects (single address notation) and address groups (contain multiple address objects.
LAN primary subnet is an address object that is automatically set to the address range assigned to the LAN.
LAN Subnets is a group that automatically has LAN primary subnet and any other locally configured LANs on the firewall. So this may or may not be just the single address assigned to the primary LAN. If there are multiple addresses in this group you will get multiple proxy-id pairs on the Sonicwall side but only the single pair presented on the SSG side.
05-23-2011 08:40 AM
OK. i understand what you're saying. However, there is no lan primary subnet as an address object. I only have one subnet in the office anyhow.
Actually i was able to get the vpn to work by moving the vpn policy on my ssg to the top and now everything looks good.
thanks for your help!