4

PROBLEM IN SHORT

SonicWall Global VPN client from Windows 10 workstation to PEER NSA 240 reports an error has occurred:

The peer is not responding to phase 1 ISAKMP requests.

VPN CLIENT LOG

The connection has been enabled.
Starting ISAKMP phase 1 negotiation.
An error occured.
The peer is not responding to phase 1 ISAKMP requests.
Starting ISAKMP phase 1 negotiation.
etc...

TESTING CONTEXT

Issue is isolated to windows 10 workstations only from today only. No changes made to NSA peer in prior to failure.

Yesterday 19/11/15 all OS nodes:
- 3 x windows 10
- 4 x windows 8.1
- 6 x windows 7 
Connected without exception.

Today 20/11/15 
- 3 x windows 10 fails with exception above.
- 4 x windows 8.1 operational
- 6 x windows 7 operational

Note this exception is generated before user credentials are entered and on a new install before the pre-shared key is entered.

ATTEMPTED FIXES

  • upgrade to latest NSA 240 firmware
  • deploy latest version of Global VPN client
  • set NSA WAN MTU to 1450 (was 1500)
  • Allow packet fragmentation
  • disable window firewall on client
  • disable windows defender on client
  • check windows updates prior / post fail (defender definition only change since 19th)
  • tested multiple user
  • uninstall vpn client
  • Run the GVC Cleaner tool (removes client completely from registry)
  • confirmed client credentials used on 10 are operational from windows 8.1
  • The 3 x windows 10 clients reporting the exception are completed isolated on seperate networks in home locations, have unique client credentials, 2 share same ADSL exchange but different ISPs. 1 on unique exchange.
  • windows 8.1 running laptop plugged into same switch as windows 10 client connects. Rules out any hardware settings between client and peer.
  • will also try win 7 VM on windows 10 host (not have time to deploy yet). Pretty sure it will be operational.
  • generally reboot on each test.

99.9% certain this is an Windows 10 issue.

VERSION INFORMATION

Dell SonicWall NSA 240 running:
- firmware version Sonic OS Enhanced 5.9.1.1-390
- Safemode verison 5.0.1.11
- ROM version 5.0.2.7


Client Global VPN Client version is:
- GVCSetup64 4.9.9.1016.


Windows 10 version:
- pro 64-bit (10.0, build 10240)

Running out of ideas.

Thank you

Scott

EDITED 25/01/26

A: From a new Windows 10 laptop:

  • Connected to a new WIFI network (WIFI X) external to my VPN termination network. For reference ISP is BT. Independent ADSL line.
  • Download and deploy GVPN Clinet 4.9.9.1016.
  • Entered pre-shared key
  • Entered user credentials. Connected.

This is the first Windows 10 successful connection.

B: From same Windows 10 laptop:

  • Disconnected VPN.
  • Disconnect WIFI
  • Connect to another external WIFI network (WIFI Y). Again BT is the ISP, independent ADSL line , note this is not the same ADSL line as WIFI X.
  • Attempt VPN connection.
  • The peer is not responding to phase 1 ISAKMP requests.

This seems to suggest on a fresh installation of Windows 10 the initial VPN connection is successful.

C: From same Windows 10 laptop:

  • Disconnect WIFI Y
  • Connect to WIFI X.
  • Connect to VPN endpoint.
  • Pass user credential.
  • Connection is successful.

So the question is why. Please note all other Windows 10 client still fail as per the orginal post.

One thing of note. All successful client connection be it 7 , 8 or 10 all report starting aggressive mode Phase1 exchange. I should point out the VPN termination is behind a NAT device. This has not been an issue until Windows 10. This device has the following support enabled currently:

  • PPTP Pass-Through
  • IPSec Pass-Through
  • Multicast Pass-Through
  • Port forwarding 500 UDP
  • Port forwarding 4500 UDP

Feel a step closer to resolving this today. In the process of deploying a leased line. I would like to deploy new SonicWall NSA hardware , in this case VPN will terminate on the device hosting the external IPs (ie no NAT). Suspect this will resolve my issues with Windows 10 clients.

Additional Testing

  • In addition all ports 1-65534 TCP/UDP have been forwarded to the VPN termination endpoint for testing.

  • Anti virus software removed from testing laptop.

  • Attempted to change the protocol binding order on the laptop and reboot but did not help. The thinking was Windows 10 is handling something differently in terms of security / bindings so having a look for problems other users are having with comms in general. REF

Thank you. Scott

Community
  • 1
scott_lotus
  • 1,079
  • 3
  • 16
  • 29

2 Answers2

1

Its appears this issue has resolved itself over the last couple of days due to a Windows 10 update. I dont know exactly what update at this time but will post further information if it becomes available.

Edited to add I can categorically confirm no changes have been made to our NSA firewall or VPN adapter software that could have caused Windows 10 IPsec VPN functionality to start operating again.

Thank you

Scott

Edited to add links to the Windows 10 update history that covers the time period between in-operability and operability.

March 8, 2016 — KB3140768 (OS Build 10586.164)

This update includes quality improvements and security fixes. No new operating system features are being introduced in this update. Key changes include:

  • Improved support for Bluetooth, wearables, and apps accessing contacts.

  • Improved reliability in app installation and Narrator.

  • Improved performance for hibernation, content entry in apps, and downloading and installing updates.

  • Fixed issue that didn't allow login to an Xbox from a PC running Windows 10.

  • Fixed security issue created when attempting to play corrupted content.

  • Fixed security issue that could allow remote code execution while viewing a PDF in Microsoft Edge.

  • Fixed additional issues with .NET Framework, Internet Explorer 11, and networking.

  • Fixed additional security issues with Microsoft Edge, Internet Explorer 11, USB storage driver, kernel mode drivers, .NET Framework, graphic fonts, OLE, secondary logon, PDF library, and Adobe Flash Player.

For more info about the security fixes in this update and a complete list of affected files, see KB3140768.

March 1, 2016 — KB3140743 (OS Build 10586.122)

This update includes quality improvements. No new operating system features or security fixes are being introduced in this update. Key changes include:

  • Improved reliability in numerous areas, including OS and Windows Update installation, startup, installing and configuring Windows for the first time, authentication, resuming from hibernation, shutdown, kernel, Start menu, storage, Windows Hello, display modes, Miracast, AppLocker, Internet Explorer 11, Microsoft Edge browser, network connectivity and discovery, and File Explorer.

  • Improved performance in video thumbnail generation, NetLogon, Windows Store, and standby power consumption.

  • Improved support for devices including some wearables, displays, and printer scenarios.

  • Reset app default when a registry setting is deleted or corrupted and streamlined notification about the corruption.

  • Fixed an issue causing favorites to be lost after updates are installed.

  • Fixed several issues that individually could cause certain apps to fail to launch, update, or allow in-app purchases.

  • Improved quality of Cortana voices and translations of multiple languages of an Internet Explorer dialog box.

  • Improved support for apps, fonts, graphics and display, airplane mode, Group Policy, PowerShell, MDM, Windows Journal, Microsoft Edge, printing, touch display, roaming credentials, push-button reset, Windows UX, local and streaming video, audio quality, error reporting, USMT, and VHD creation.

For a complete list of affected files, see KB3140743

February 9, 2016 — KB3135174 (OS Build 10240.16683)

This update includes quality improvements and security fixes. No new operating system features are being introduced this month. Key changes in this update include:

  • Improved installation time of updates.

  • Fixed issue with Microsoft Edge browser caching visited URLs while using InPrivate browsing.

  • Improved Silverlight performance.

  • Fixed issue that didn't allow a Windows 10 PC to remotely configure a server.

  • Fixed issue with pictures and tables not displaying in Windows Journal.

  • Fixed security issues that could allow remote code execution when malware is run on a target system.

  • Fixed security issues in Microsoft Edge and Internet Explorer 11 that could allow code from a malicious website to be installed and run on a device.

  • Fixed additional issues with Input Method Editors (IMEs), Direct Access, assigned access, peripheral device detection, barcode scanning, Windows Explorer, Internet Explorer 11, Microsoft Edge, and scripting.

  • Fixed additional security issues with .NET Framework, PDF library, Windows Journal, kernel-mode drivers, Remote Desktop, and WebDAV.

For more info about the security fixes in this update and a complete list of affected files, see KB3135174.

i.e it was one of these updates but I am unable to isolate it further at this time sorry.

Community
  • 1
scott_lotus
  • 1,079
  • 3
  • 16
  • 29
1

This error usually is caused by UDP packets being fragmented during the initial handshaking. SonicWall now has a workaround for it.

Go to the Properties menu on the client, and turn on "Restrict the size of the first ISAKMP packet sent". (This option is available in client versions 4.9.14 and above).

AndyB
  • 131
  • 2