Article Applies To:

Affected SonicWALL Security Appliance Platforms: 

Gen6 SM E10000 series: NSA E10800, NSA E10400, NSA E10200, NSA E10100
Gen6 SM 9000 series: NSA 9600, NSA 9400, NSA 9200

Gen6 NSA Series: NSA 6600, NSA 5600, NSA 4600, NSA 3600, NSA 2600

Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA  250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.

Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)


Firmware/Software Version: All versions.
Services: VPN



Problem Definition:

The log shows "Received notify: INVALID_ID_INFO" on the initiator firewall.

 


Resolution or Workaround:

INVALID_ID_INFO can occur both in Phase 1 and in Phase 2 of building up a VPN tunnel.

In Phase 1:

The SonicWALL received notification that the Phase 1 ID is invalid.

This is most likely to happen on an Aggressive Mode request error. Check that aggressive mode is set in the SA of both SonicWALLs.

On SonicOS Standard firmware, ensure the SA name in each SonicWALL is the same as the Unique Firewall Identifier (UFI) of the remote peer SonicWALL. The Unique Firewall Identifier is a Global VPN setting found on the VPN > Settings page.

On SonicOS Enhanced firmware, you can set local and peer (remote) IKE ID's according to IP Address, Domain Name, Email Address or SonicWALL Identifier (UFI).

In case of a Main mode tunnel, this error can be seen when the appliance at one end is behind a NAT device. SonicWALL UTM Appliances use their WAN IP as IKE ID by default and are expecting the other side's public IP as remote IKE ID. On SonicOS Enhanced firmware, you can reconfigure the Local / Peer IKE ID with the correct IP address, or specify another parameter such as Domain Name, Email Address or UFI.

In Phase 2:

This is always a case whereby Local and Destination networks do not match on either side. Please ensure the VPN policies on both Units are configured with the correct Destination and Local networks.