Guides
All guides
VPN & Firewall
FortiGate IPsec VPNPalo Alto VPNCisco ASA VPNJuniper SRX VPNSonicWall VPN
Switching & Routing
Catalyst high CPUNexus vPCOSPF ExStartBGP Active/Idle
Load Balancing
F5 pool member down
Servers & Virtualization
Linux high loadWindows high memoryESXi disconnectedProxmox node offline
Containers
K8s CrashLoopDocker exit 137
Databases
MySQL replication lagPostgreSQL connsOracle ORA-12541
Cloud
AWS no internetAzure VPN gateway
Backup
Veeam job failed
Web & App
Nginx 502
Compare
Marvis alternativeChatGPT vs TM
Home / Troubleshoot / SonicWall Site-to-Site VPN
SonicWall · Site-to-Site VPN

SonicWall Site-to-Site VPN Not Connecting: How to Fix It

By the Tech Matrix engineering team · Updated June 2026

A SonicWall site-to-site tunnel that won't establish fails in IKE Phase 1 or Phase 2 — and the cause is almost always a mismatched proposal, key, or network object. Here's how to find it.

Step 1 — Check the tunnel status and logs

In SonicOS, open Network > IPSec VPN > Rules and Settings — a green indicator means the SA is up. If it's down, go to Investigate > Logs > Event Logs and filter on VPN; the log entries name the phase and reason it failed.

Step 2 — Phase 1 (IKE) won't come up

  • Peer reachability: confirm the remote gateway IP is correct and reachable, and that UDP 500/4500 aren't blocked upstream.
  • Shared secret: the pre-shared key must match exactly on both ends.
  • IKE proposal: IKE version (v1/v2), exchange/mode, DH group, encryption and authentication must match. A single mismatch keeps Phase 1 down.

Step 3 — Phase 2 (IPsec) won't establish

  • Local & remote networks: the address objects for your local network and the remote network must mirror the peer (your local = their remote). This is the most common SonicWall Phase 2 failure.
  • Phase 2 proposal: encryption, authentication and Perfect Forward Secrecy (and the PFS DH group) must have a match on both sides.

Step 4 — Tunnel flaps or won't pass traffic

If the SA comes up but drops, enable Keep Alive on the VPN policy and check that both ends agree on lifetimes. If it's up but no traffic passes, verify the access rules and that the route/NAT policies allow the VPN subnets. SonicWall's Investigate > Packet Monitor shows whether packets are entering and leaving the tunnel.

How Tech Matrix solves this in ~60 seconds

The SonicWall trap is matching proposals and address objects across two appliances while reading the event log. Tech Matrix connects to your SonicWall, reads the VPN log and policy itself, and tells you exactly which proposal, key or network object doesn't match — grounded in your SonicOS version, with your approval on every step.

Create free account →See how it works

Frequently asked questions

How do I check if a SonicWall VPN tunnel is up?

In SonicOS go to Network > IPSec VPN > Rules and Settings — a green indicator means the SA is established. Event Logs (Investigate > Logs) filtered on VPN show why it failed.

Why won't my SonicWall Phase 2 come up?

Usually the local/remote network address objects don't mirror the peer, or the Phase 2 proposal (encryption/auth/PFS) doesn't match. Both must align on each side.

Which ports does SonicWall VPN use?

IKE uses UDP 500 and UDP 4500 (NAT-T). These must be reachable between the two gateways for the tunnel to negotiate.