Customer gets a code drop 187 Octeon Decryption Message from a SonicWall to a Fortinet VPN Tunnel

Overview / Scenario:

When configuring a Site-to-Site VPN tunnel with 5.9.0.6 between a SonicWall appliance (Site A) and a Fortinet Device on Site B) you get a drop code 187 on the Fortinet Site. For example if you use RDP through the vpn tunnel. Ping works but a RDP connection gives a drop code 187.

Solution:

Even if it is possible to use Address Objects in the IPSEC phase policy on FORTINET, do NOT use them

Step 1: Start with a network group object with one or more Class-C subnet network objects and look if phase 1 and 2 finished without errors.
If ICMP (ping) goes through the vpn tunnel.

Step 2: Check if a Remote Desktop connection or telnet works. Here you run typically in the drop scenario when you try to access from FORTINET to SonicWall some resources.

Step 3: Address Objects are "more compatible" in some cases on the Fortinet site to the SonicWall site at the other end, so do NOT to use address objects, but use network addresses instead on the Fortinet Site

Typically this works without any change on the SonicWall site.


Additional Information/Similar Problems which are SonicWall related:
On the SonicWall Site there is a Hotfix available as well, for example if the problem appears between a SonicWall and a other SonicWall. The DTS Number is 130482 . The Hotfix can be requested via our Support Line.