Failed to get sainfo - Sonicwall NSA240



  • I have a tunnel setup to a NSA240 that comes up but does not work.  I have other Sonicwall devices connected with no problem but it appears this new unit must be a little different in how they are handling ipsec.  On the pfsense 1.21 box it shows:
    Dec 3 14:48:11 racoon: ERROR: failed to pre-process packet.
    Dec 3 14:48:11 racoon: ERROR: failed to get sainfo.
    Dec 3 14:48:11 racoon: ERROR: failed to get sainfo.
    Dec 3 14:48:11 racoon: [Royal Sonic]: INFO: respond new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0]
    Dec 3 14:47:55 racoon: ERROR: failed to pre-process packet.
    Dec 3 14:47:55 racoon: ERROR: failed to get sainfo.
    Dec 3 14:47:55 racoon: ERROR: failed to get sainfo.
    Dec 3 14:47:55 racoon: [Royal Sonic]: INFO: respond new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0]

    On the Sonic box it shows:
    12/03/2008 11:49:49.368 Info VPN IKE IKE Initiator: Start Quick Mode (Phase 2).

    I have the lifetimes set for 28800 on both boxes on Phase 1 and 2.  Both boxes show the tunnel as up but I can't pass any traffic across the vpn.

    Any ideas?

    Thanks,

    Andy



  • What I have found is that even though I have the interface of the vpn setup for my 1st carp address and the remote end setup to connect to the carp address that it doesn't work.  The Sonicwall sees the packets coming from the carp address but inside the packet it's showing my wan address.  The only way I can get this to connect is via the wan address.  Is it not possible to use a carp address for the vpn connections or am I missing something else?

    Andy



  • @geewhz01:

    What I have found is that even though I have the interface of the vpn setup for my 1st carp address and the remote end setup to connect to the carp address that it doesn't work.  The Sonicwall sees the packets coming from the carp address but inside the packet it's showing my wan address.  The only way I can get this to connect is via the wan address.  Is it not possible to use a carp address for the vpn connections or am I missing something else?

    Andy

    Seem to be having the same problem. Anyway to manually input sainfo in the config file? Or is this some failure to pull remote sainfo on the sonicwall device???



  • You can define a IP address for the local identifier, try that instead of "my ip address"



  • Anybody get a fix for this.
    I have spent hours trying to get a VPN tunnel going between the PF and a Sonic Pro 230.
    Just keep on getting the "racoon: ERROR: failed to get sainfo." error..

    racoon: ERROR: failed to pre-process packet.
    Mar 3 10:10:11 racoon: ERROR: failed to get sainfo.
    Mar 3 10:10:11 racoon: ERROR: failed to get sainfo.
    Mar 3 10:10:11 racoon: [PF Test]: INFO: respond new phase 2 negotiation: 89.xx.xx.xx[0]<=>86.xx.xx.xxx[0]



  • This old thread comes up high on Google for this message. For the sake of those running into this in the future, "racoon: ERROR: failed to get sainfo" means you have a phase 2 mismatch. Best way to determine what is to run racoon in the foreground in debug mode with:
    racoon -F -d -v -f /var/etc/racoon.conf


Log in to reply