Error message SSL negotiation with license manager server has failed.
03/26/2020 63 People found this article helpful 50,693 Views
Older firmware versions are not able to contact to the new HTTPS License server due to an updated certificate on our backend.
The new certificate is a 2048 bit certificate and uses a secure Verisign certificate. (new IP 18.104.22.168)
- Upgrade at least to the latest General Release (i.e. 22.214.171.124, 126.96.36.199, 188.8.131.52)
Resolution B (workaround) in the case you prefer not upgrading the firmware:
CAUTION: This workaround may not work. The firmware upgrade is always the suggested solution to this issue as there might be certificate or TLS incompatibilities with old firmware versions.
Step 1: Create a DNS entry on your internal DNS server to resolve to the OLD License manager IP 184.108.40.206
Screenshot below shows an example server 192.168.168.101 (DNS Server) which has an entry for licensemanager.sonicwall.com
It resolves to the old IP 220.127.116.11 (old SonicWall Licenseserver which accepts old root certificates from old firmware versions)
Step 2: Put the internal DNS as the first choice in the firewall Network | DNS | Settings .
Let's say the internal DNS server is 192.168.168.101, then put 192.168.168.101 in the first field (first choice)
Step 3: Import the certificate from the https://18.104.22.168 webpage.
You can use, for example, Firefox to download the certificate. If this does not work, you can also carry out the following steps to import the certificate.
1. Navigate to the System | Certificates page.
2. Under Additional CA Certificates, import the SonicWall Firewall DPI-SSL root certificate.
TIP: The certificate can be obtained by copy-pasting the following PEM encoded text into a text editor and saving it as SonicWallFirewallDPI-SSL.pem (with .pem extension).
the certificate can be exported by accessing Https://22.214.171.124 from any Internet browser, here is an example on exporting the SonicWall Firewall DPI-SSL certificate using the latest FireFox browser.
How to Test:
1) First test is to check if the SonicWall resolves to the old licensemanager ip.
Go to System | Diagnostic and then check if the name licensemanager.sonicwall.com resolves to 126.96.36.199, and check if the first (the internal DNS) is being used.
2) Then go to System | Certificate and check if you see the new imported certificate
3a) Go the System | Registration and click on Registration. If you are redirected to a Login Page then the workaround works
Login with your mysonicwall.com credentials with your Username and Password
(the same Password which you use for your mysonicwall.com account)
3b) You can also go to System | Licenses | License renew (below the Synchronize button). If you click on this link, then it redirects you as well to the mySonicWall account . You should see here a Login Page as well