Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New S2S can't connect

MO: XGS136/SFOS v19,5,2. Not in production yet, setting up to replace production firewall.

BO: XG115/SFOS v19.5.2. In production.

MO & BO have had an IPSec S2S running for a long time with the MO production firewall.

The MO XGS that will replace the MO firewall is on a separate WAN IP & LAN IP from the production firewall, and I'm using that to get the BO S2S's set up ahead of migration to the XGS.

MO & BO are using identical IPSec Policies on the production firewall, and to simplify migration, I've used the same Policies and PSKs. At the BO, I cloned the old S2S to create the new S2S, changing only the remote WAN IP.

Another BO with an XG115 is working fine. But this one can't connect.

Old S2S disabled during testing. BO initiates on the new S2S. When I review the VPN Logs for both firewalls, I don't see any connection attempts. When I look at a packet capture at the BO, I see every inbound and outbound IKE UDP/500 packet is denied ("Rule 0").

I disabled and re-enabled the new S2S but there was no change.

Why would the BO firewall be denying IKE for an enabled S2S and how can I fix it? I guess I can create a custom firewall rule for it, but should I need to? Never needed one before.

This thread was automatically locked due to age.
Parents Reply
  • Figured it out. User error. I clicked on the wrong remote LAN object on the MO VPN connection setup.

    Don't really understand why that would explain the symptoms: No entries in the VPN log on either firewall, and all IKE packets falling down to rule 0 on the BO firewall. But can't argue with the results.