We are having a strange error logged on the SonicWall TZ170 we use at our main office. We have a remote office which uses a SonicWall TZ150. We use the TZ series devices to protect traffic between the sites via IPSec tunnels. Both devices seem to indicate that the tunnels are established without issue, and we can get traffic over the VPN without any problems. However, we have noticed the following errors repeating several times an hour. They are only logged on the TZ170 unit. The errors are as follows:
01/09/2006 19:22:28.464 IKE Responder: IPSec proposal does not match (Phase 2) <Remote_WAN_IP>, <Remote_WAN_IP>.skyriver.net <Main_WAN_IP>, <Main_WAN_IP>.orange.nextweb.net 192.168.123.77/32 -> 192.168.100.0/24
01/09/2006 19:22:28.464 IKE Responder: No match for proposed remote network address <Remote_WAN_IP>, <Remote_WAN_IP>.skyriver.net <Main_WAN_IP>, <Main_WAN_IP>.orange.nextweb.net 192.168.123.77/32
What is interesting is that 192.168.100.0/24 is the correct subnet for the main office (where the TZ170 is located) but the other LAN subnet identified in the first log message above (192.168.123.77/32) is NOT actually in use ANYWHERE in our WAN. The remote office is on the 192.168.98.0/24 subnet.
Another fact of possible relevance is that at both locations, we use wireless broadband for our network connectivity. SkyRiver is a subsidiary of NextWeb, and they have said they do not know what might be causing this issue, but they claim that they do not believe it is related to their portion of the system.
We have another remote site, the CEO's home office, that uses an identical TZ150 to the one at the remote office. It also connects to the TZ170 at the main office, using a different, but very similarly configured IPSec policy. The broadband connectivity at that location is via residential cable modem via Adelphia, and we never see any errors like those above that reference the WAN IP at the CEO's house. The subnet at the CEO's home office is 192.168.99.0/24.
All of the IPSec tunnels are main mode, with endpoints identified by IP address (not DNS names) and use preshared keys. We are not using the GroupVPN capability, and in fact it is disabled on all SonicWall endpoints.
I can provide any other information requested, but mostly I am interested to see if anyone has ever seen anything like this. All TZ units are running SonicOS Standard, current firmware. Any guidance is appreciated!
Regards,
Bill
01/09/2006 19:22:28.464 IKE Responder: IPSec proposal does not match (Phase 2) <Remote_WAN_IP>, <Remote_WAN_IP>.skyriver.net <Main_WAN_IP>, <Main_WAN_IP>.orange.nextweb.net 192.168.123.77/32 -> 192.168.100.0/24
01/09/2006 19:22:28.464 IKE Responder: No match for proposed remote network address <Remote_WAN_IP>, <Remote_WAN_IP>.skyriver.net <Main_WAN_IP>, <Main_WAN_IP>.orange.nextweb.net 192.168.123.77/32
What is interesting is that 192.168.100.0/24 is the correct subnet for the main office (where the TZ170 is located) but the other LAN subnet identified in the first log message above (192.168.123.77/32) is NOT actually in use ANYWHERE in our WAN. The remote office is on the 192.168.98.0/24 subnet.
Another fact of possible relevance is that at both locations, we use wireless broadband for our network connectivity. SkyRiver is a subsidiary of NextWeb, and they have said they do not know what might be causing this issue, but they claim that they do not believe it is related to their portion of the system.
We have another remote site, the CEO's home office, that uses an identical TZ150 to the one at the remote office. It also connects to the TZ170 at the main office, using a different, but very similarly configured IPSec policy. The broadband connectivity at that location is via residential cable modem via Adelphia, and we never see any errors like those above that reference the WAN IP at the CEO's house. The subnet at the CEO's home office is 192.168.99.0/24.
All of the IPSec tunnels are main mode, with endpoints identified by IP address (not DNS names) and use preshared keys. We are not using the GroupVPN capability, and in fact it is disabled on all SonicWall endpoints.
I can provide any other information requested, but mostly I am interested to see if anyone has ever seen anything like this. All TZ units are running SonicOS Standard, current firmware. Any guidance is appreciated!
Regards,
Bill
