Article Applies To:
Affected SonicWALL Security Appliance Platforms:
Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Gen5 TZ series: TZ 100, TZ 100W, TZ 105, TZ 105W TZ 200, TZ 200W, TZ 205, TZ 205W TZ 210, TZ 210W,TZ 215, TZ 215W.
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)Firmware/Software Version: All versions.
The log shows "Received notify: INVALID_ID_INFO" on the initiator firewall.
Resolution or Workaround:
INVALID_ID_INFO can occur both in Phase 1 and in Phase 2 of building up a VPN tunnel.
In Phase 1:
The SonicWALL received notification that the Phase 1 ID is invalid.
This is most likely to happen on an Aggressive Mode request error. Check that aggressive mode is set in the SA of both SonicWALLs.
On SonicOS Standard firmware, ensure the SA name in each SonicWALL is the same as the Unique Firewall Identifier (UFI) of the remote peer SonicWALL. The Unique Firewall Identifier is a Global VPN setting found on the VPN > Settings page.
On SonicOS Enhanced firmware, you can set local and peer (remote) IKE ID's according to IP Address, Domain Name, Email Address or SonicWALL Identifier (UFI).
In case of a Main mode tunnel, this error can be seen when the appliance at one end is behind a NAT device. SonicWALL UTM Appliances use their WAN IP as IKE ID by default and are expecting the other side's public IP as remote IKE ID. On SonicOS Enhanced firmware, you can reconfigure the Local / Peer IKE ID with the correct IP address, or specify another parameter such as Domain Name, Email Address or UFI.
In Phase 2:
This is always a case whereby Local and Destination networks do not match on either side. Please ensure the VPN policies on both Units are configured with the correct Destination and Local networks.