Understanding and troubleshooting common log errors regarding IPSEC VPN policies and GVC

When troubleshooting a IPSEC VPN Policy either a Site to Site VPN, or Global VPN Client (GVC) connectivity the SonicWall Logs are an excellent source of information. The purpose of this article is to decrypt and examine the common Log messages regarding VPNs in order to provide more accurate information and give you an idea of where to look for a resolution to specific VPN issues. abc

NOTE: These Log Messages are based on the most up to date branches of SonicWall firmware, 5.9.X.X for generation 5 SonicWalls and 6.2.X.X for generation 6 SonicWalls. If you're on a Firmware below the recommended branches, please strongly consider upgrading.

• XAUTH Failed with VPN Client; Authentication Failure.
  This references failed Logins via GVC and indicates the User is providing an incorrect Username and/or Password.
  
  
• XAUTH Failed with VPN Client; Cannot contact RADIUS Server.
  The SonicWall cannot contact its listed RADIUS Server/s to verify the Users credentials.
  
  
• Global VPN Client License Exceeded; Connection Denied.
  The SonicWall has reached either its limit of Device GVC Connections, or its limit of Licensed GVC Connections.
  

  TIP: To view the amount of GVC Licensed Connections your device has navigate to System | Licenses and look for GVC.

• Blocked Quick Mode for Client using Default Key ID.
  This indicates the SonicWall is not allowing Phase 2 negotiation using Simple Keys. Deleting the GVC Connection on the Client (User Side) and re-adding it will resolve this.
  
  
• Global VPN Client connection is not allowed. Appliance is not registered.
• Indicates the SonicWall Appliance needs to be Registered prior to utilizing GVC.
  
  
• IKE Responder: IP address already exists in the DHCP Relay table. Client traffic not allowed.
  The GVC User/Client is attempting to use an IP Address that is already used in the SonicWall DHCP Relay Table. This is commonly encountered when using Static IPs for GVC Users, and can be resolved by not using the IP Address in the DHCP Relay Table, or by using DHCP for GVC connections.
  

  TIP:  You can view the DHCP Relay Table by navigating to VPN | DHCP over VPN | Configure.

• IKE Responder: %s Policy does not allow Static IP for Virtual Adapter.
  In this situation a GVC Client is attempting to use a Static IP Address when that configuration is not supported in the GVC Policy. Examine the GVC Policy under VPN | Settings and ensure Manual Configuration is selected on the Client tab under Virtual Adapter Settings.
  
  
• IKE Responder: IPSec Proposal does not match (Phase 2).
  In the case of a VPN Policy this indicates that the Phase 2 information doesn't match across the local and remote devices. Mismatched information can include any of the following:

• Local Networks
• Remote Networks
• Protocol Settings
• Encryption Settings
• Authentication Settings
• Perfect Forward Secrecy Settings
• Life Time
  

  CAUTION: Every setting must be an exact match on both sides of the VPN or the SonicWall will not create the Security Association. This includes Local and Remote Networks!

• IKE Responder: Mode %d ' Not Tunnel Mode.
  Indicates the Remote VPN device is attempting to use Transport Mode, SonicWall devices only support Tunnel Mode.
  
  
• IKE Responder: No matching phase 1 ID found for proposed remote network.
  IKE Responder: IKE proposal does not match (Phase 1)
  IKE ID mismatch %s
  IKE Phase 1 information doesn't match across the Local and Remote VPN Concentrators. This can include the following.

• Exchange Type
• DH Group
• Encryption Settings
• Authentication Settings
• Life Time

• IKE Responder: Proposed remote network 0.0.0.0 but not DHCP relay nor default route.
  This occurs when the GVC Client or VPN Peer is attempting to use Tunnel All / Route All Mode but the SonicWall isn't configured to do so.
  

  TIP: For information on setting up Tunnel All Mode for Site to Site VPNs reference How to configure Tunnel All Internet Traffic over Site to Site VPN.
  
  

  NOTE: For information on setting up Tunnel All Mode for GVC Users reference How to configure a 'Route all Traffic' WAN GroupVPN Policy.

• IKE Responder: No match for proposed remote network address.
  The Remote Peer is proposing a Phase 2 Destination Network that is not listed as a Local Network on the SonicWall.
  
  
• IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route.
  The Remote Peer is NOT proposing a Tunnel All Mode but the Local SonicWall is setup for Tunnel All Mode.
  

  TIP: For information on setting up Tunnel All Mode for Site to Site VPNs reference How to configure Tunnel All Internet Traffic over Site to Site VPN.
  
  

• IKE Responder: ESP Perfect Forward Secrecy mismatch.
  A Remote Peer is proposing Perfect Forward Secrecy but the settings are not correct on the SonicWall's VPN Policy.
  
  
• IKE Responder: Algorithms and/or keys do not match.
  A Remote Peer is proposing Encryption Settings that don't match the SonicWall's VPN Policy.
  
  
• IKE Initiator: Received notify. NO_PROPOSAL_CHOSEN.
  Indicates there is a mismatch of proposals during phase 1 or phase 2 negotiation between a site-to-site VPN.
  
  
• Received notify: INVALID_ID_INFO.
  IKE Phase 1 or Phase 2 Settings are mismatched between the SonicWall and the Remote Peer.
  
  
• Received notify: ISAKMP_AUTH_FAILED.
  The GVC Client entered the incorrect Pre-Shared Key, verify the Pre-Shared Key on the WANGroupVPN Settings.
  
  
• Received notify: PAYLOAD_MALFORMED.
  The SonicWall is unable to decrypt the IKE Packet. This is typically due to the following:

• There is significant latency or fragmentation on the connection.
• One side of the VPN is using the incorrect IKE Cookies; resetting the VPN Policies on both Peers will resolve this.

• Received notify: INVALID_COOKIES.
  One Peer has rebooted or is otherwise no longer using the correct IKE Cookies. Resetting the VPN Policies on both Peers and re-enabling the VPN will resolve this.
  
  
• Received notify: RESPONDER_LIFETIME.
  Remote Peer has a lower Security Association Lifetime than the SonicWall. This is not an actual error and can be ignored.
  
  Received notify: INVALID_SPI
  Received unencrypted packet while crypto active
  Received notify: INVALID_PAYLOAD
  Illegal IPSec SPI
  Unknown IPSec SPI
  Incompatible IPSec Security Association
  One Peer has rebooted or is otherwise no longer using the correct Security Association. If Dead Peer Detection is Enabled then the Security Association should renegotiate, if not then resetting the VPN Policy will resolve the issue.
  
  
• IKE Responder: Proposed local network is 0.0.0.0 but SA has no LAN Default Gateway.
  IKE Responder: Default LAN gateway is not set but peer is proposing to use this SA as a default route.
  The Remote Peer is proposing Tunnel All Mode but the SonicWall is not configured for the required LAN Default Gateway. 
  
  
• IPSec packet from or to an illegal host.
  Source or Destination Gateways on the VPN Policy are incorrect.
  
  
• IPSec Replay Detected.
  An incoming IPSec Packet has a repeated sequence number and has been dropped for security reasons. This is typically due to latency or a compatibility issue between the SonicWall and the Remote VPN Concentrator.
  
  
• Access Group Mismatch.
  The GVC User is not a Member of the correct Group set under XAUTH.
  
  
• Could Not Allocate Inbounce SPI | Could Not Create Outbound IPSec Rule | Could Not Register Outbound SPI.
  Indicates that the SonicWall is running out of memory. Reasons for this may include Hardware Specifications and/or too much traffic being sent through the SonicWall.
  
  
• Encapsulation Mode Mismatch.
  The Encapsulation Mode on the VPN Policy doesn't match between the Peers. Ensure both Peers are set to either AH or ESP.
  
  
• Traffic Selectors Unacceptable.
  If some networks mentioned on one end of tunnel, don't match the other end, it results in the "Traffic Selectors Unacceptable" error.
  Check the local and remote network on either ends of the site to site VPN. Local network on site A should match the remote network on site B. Similarly, Local network on site B, should match the remote network on site A.