- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Error message SSL negotiation with license manager server has failed.
03/26/2020 
63 People found this article helpful
50,693 Views
Description
Older firmware versions are not able to contact to the new HTTPS License server due to an updated certificate on our backend.
The new certificate is a 2048 bit certificate and uses a secure Verisign certificate. (new IP 204.212.170.143)
Resolution
Resolution A
- Upgrade at least to the latest General Release (i.e. 6.2.5.3, 6.2.7.1, 5.9.1.7)
Resolution B (workaround) in the case you prefer not upgrading the firmware:
CAUTION: This workaround may not work. The firmware upgrade is always the suggested solution to this issue as there might be certificate or TLS incompatibilities with old firmware versions.
Step 1: Create a DNS entry on your internal DNS server to resolve to the OLD License manager IP 204.212.170.35
Screenshot below shows an example server 192.168.168.101 (DNS Server) which has an entry for licensemanager.sonicwall.com
It resolves to the old IP 204.212.170.35 (old SonicWall Licenseserver which accepts old root certificates from old firmware versions)
Step 2: Put the internal DNS as the first choice in the firewall Network | DNS | Settings .
Let's say the internal DNS server is 192.168.168.101, then put 192.168.168.101 in the first field (first choice)
Step 3: Import the certificate from the https://204.212.170.35 webpage.
You can use, for example, Firefox to download the certificate. If this does not work, you can also carry out the following steps to import the certificate.
1. Navigate to the System | Certificates page.
2. Under Additional CA Certificates, import the SonicWall Firewall DPI-SSL root certificate.
TIP: The certificate can be obtained by copy-pasting the following PEM encoded text into a text editor and saving it as SonicWallFirewallDPI-SSL.pem (with .pem extension).
-----BEGIN CERTIFICATE-----
MIIC6zCCAlSgAwIBAgIJAMCocw7Ocp2/MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
BAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMOU29uaWNXQUxMIEluYy4xIzAh
BgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEktU1NMMB4XDTA5MDMwOTIxMzky
MFoXDTI5MDMwNDIxMzkyMFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRcw
FQYDVQQKEw5Tb25pY1dBTEwgSW5jLjEjMCEGA1UEAxMaU29uaWNXQUxMIEZpcmV3
YWxsIERQSS1TU0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM9Sr0ViM9Uf
QDPE1110vQpZkbBMJdUWTGcomx8lk/8je38O+GjrS1zEbww7JJ9GEM8PYnPxN9pA
mChtSNy5bviQdNqXfAMhSxRHICg4lFcsa95bzoRm1UzD09jXqsJQO8BR6bmLE+XZ
YnA/QF+W7ain589WkCS3ER9gptwuw683AgMBAAGjgbwwgbkwHQYDVR0OBBYEFFdA
z3naeZEhRpUg4MfD2Dg93nmoMIGJBgNVHSMEgYEwf4AUV0DPedp5kSFGlSDgx8PY
OD3eeaihXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMO
U29uaWNXQUxMIEluYy4xIzAhBgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEkt
U1NMggkAwKhzDs5ynb8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm
kgRiH8A1r6in0u3iAqFBuiNDdkqefVOZAULEplx00/kETR5m3IOurG+pKln4SmNp
lZgxA6/ldr+wPgXQD72mbXUHDLIaSernjMhNC1MxhVGiXTGLyYL2ULv52mk8EIzY
Qxk7DWfLJqCuUyZ59+spkQu40uTZX14Dc/uM142bJg==
-----END CERTIFICATE-----
OR
the certificate can be exported by accessing Https://204.212.170.35 from any Internet browser, here is an example on exporting the SonicWall Firewall DPI-SSL certificate using the latest FireFox browser.
How to Test:
1) First test is to check if the SonicWall resolves to the old licensemanager ip.
Go to System | Diagnostic and then check if the name licensemanager.sonicwall.com resolves to 204.212.170.143, and check if the first (the internal DNS) is being used.
2) Then go to System | Certificate and check if you see the new imported certificate
3a) Go the System | Registration and click on Registration. If you are redirected to a Login Page then the workaround works
Login with your mysonicwall.com credentials with your Username and Password
(the same Password which you use for your mysonicwall.com account)
or...
3b) You can also go to System | Licenses | License renew (below the Synchronize button). If you click on this link, then it redirects you as well to the mySonicWall account . You should see here a Login Page as well
Related Articles
- How to Create Gen 7 Settings File by Using the Online Migration Tool
- DNS Resolution of Wildcard FQDN Address Objects
- All associated wildcard FQDN IP addresses do not display in the web browser
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO