Title: The VPN Log shows: "IKE Initiator Remote party timeout..." error

Article Applies To:

Affected SonicWALL Security Appliance Platforms: 

Gen5: NSA E8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400 MX, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)


Firmware/Software Version: All versions.
Services: VPN

Problem Definition:

The " IKE Initiator: Remote Party timeout..." log shows several timeout messages and " IKE negotiation aborted due to timeout" after a short delay, indicates that there is a communication problem or the Initiator and Responder are unable to complete the Phase 1 negociations.

 

Logs on Initiator:


 

 


 

Resolution / Workaround:

If you receive an IKE Initiator: No response--remote party timeout error,
 
1. Checking the 
logs on the Responder SonicWALL will clearly display the exact problem, ensure that the  Proposals are identical on both the VPN policies.

Logs on Responder:



If no log messages are available for the Initiator VPN device, then follow these steps:

2. Ensure that the Global VPN option and the VPN policy is enabled


3.  Network connectivity between units. (Tip: you may try to connect via GVC software if GroupVPN is configured on the SonicWALL)


4. 
'Disable this SA’ box is not checked in SA of IKE Responder (SonicOS Standard)


5.
  
IPSec Gateway address in Initiator SA specifies WAN address of IKE Responder


6.
 
If you are using FQDN in the IPSec Gateway Name or Address field, ensure that FQDN resolves to WAN address of IKE Responder


7.
IKE Access Rules enabled on both SonicWALLs


8.
 
No other firewalls in the path are blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.


9.
 
Contact ISP to see if they're blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.


10.
 I
f using SonicOS Standard with Aggressive Mode VPN, m ake sure the remote end’s firewall name is specified on the host firewall’s VPN policy


11.
 I
f the VPN Tunnel is being established with a 3rd Party VPN device, then make sure that NAT – T is disabled (in case there is no NAT device in front of the SonicWALL)
 


12.
Check the Local and Peer IKE IDs in the VPN policy if you have setup the  Site to Site VPN Policy between the SonicOS Enhanced and Standard firewalls


13.
Click the Advanced tab of the VPN Policy, s et VPN to bind to Zone WAN.


Authored by: Guru Corner on Sat, May 5th, 2012 at 6:00 PM
This question has been viewed 16330 times so far.
Online URL: http://kb.guru-corner.com/question.php?ID=216

Powered by Guru Corner