Error message SSL negotiation with license manager server has failed.

03/26/2020 55 15553

DESCRIPTION:

Older firmware versions are not able to contact to the new HTTPS License server due to an updated certificate on our backend.
The new certificate is a 2048 bit certificate and uses a secure Verisign certificate. (new IP 204.212.170.143)

RESOLUTION:

Resolution A

• Upgrade at least to the latest General Release (i.e. 6.2.5.3, 6.2.7.1, 5.9.1.7)

Resolution B (workaround) in the case you prefer not upgrading the firmware:

CAUTION: This workaround may not work. The firmware upgrade is always the suggested solution to this issue as there might be certificate or TLS incompatibilities with old firmware versions.

Step 1: Create a DNS entry on your internal DNS server to resolve to the OLD License manager IP 204.212.170.35

Screenshot below shows an example server 192.168.168.101 (DNS Server) which has an entry for licensemanager.sonicwall.com
It resolves to the old IP 204.212.170.35 (old SonicWall Licenseserver which accepts old root certificates from old firmware versions)

Step 2: Put the internal DNS as the first choice in the firewall Network | DNS | Settings . 
            Let's say the internal DNS server is 192.168.168.101, then put 192.168.168.101 in the first field (first choice)

Step 3: Import the certificate from the https://204.212.170.35 webpage. 
            You can use, for example, Firefox to download the certificate. If this does not work, you can also carry out the following steps to import the certificate.

1. Navigate to the System | Certificates page. 
2. Under Additional CA Certificates, import the SonicWall Firewall DPI-SSL root certificate. 

TIP: The certificate can be obtained by copy-pasting the following PEM encoded text into a text editor and saving it as SonicWallFirewallDPI-SSL.pem (with .pem extension). 

-----BEGIN CERTIFICATE----- 
MIIC6zCCAlSgAwIBAgIJAMCocw7Ocp2/MA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV 
BAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMOU29uaWNXQUxMIEluYy4xIzAh 
BgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEktU1NMMB4XDTA5MDMwOTIxMzky 
MFoXDTI5MDMwNDIxMzkyMFowWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRcw 
FQYDVQQKEw5Tb25pY1dBTEwgSW5jLjEjMCEGA1UEAxMaU29uaWNXQUxMIEZpcmV3 
YWxsIERQSS1TU0wwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM9Sr0ViM9Uf 
QDPE1110vQpZkbBMJdUWTGcomx8lk/8je38O+GjrS1zEbww7JJ9GEM8PYnPxN9pA 
mChtSNy5bviQdNqXfAMhSxRHICg4lFcsa95bzoRm1UzD09jXqsJQO8BR6bmLE+XZ 
YnA/QF+W7ain589WkCS3ER9gptwuw683AgMBAAGjgbwwgbkwHQYDVR0OBBYEFFdA 
z3naeZEhRpUg4MfD2Dg93nmoMIGJBgNVHSMEgYEwf4AUV0DPedp5kSFGlSDgx8PY 
OD3eeaihXKRaMFgxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEXMBUGA1UEChMO 
U29uaWNXQUxMIEluYy4xIzAhBgNVBAMTGlNvbmljV0FMTCBGaXJld2FsbCBEUEkt 
U1NMggkAwKhzDs5ynb8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCm 
kgRiH8A1r6in0u3iAqFBuiNDdkqefVOZAULEplx00/kETR5m3IOurG+pKln4SmNp 
lZgxA6/ldr+wPgXQD72mbXUHDLIaSernjMhNC1MxhVGiXTGLyYL2ULv52mk8EIzY 
Qxk7DWfLJqCuUyZ59+spkQu40uTZX14Dc/uM142bJg== 
-----END CERTIFICATE----- 

OR 

the certificate can be exported by accessing Https://204.212.170.35 from any Internet browser, here is an example on exporting the SonicWall Firewall DPI-SSL certificate using the latest FireFox browser.

How to Test:

1) First test is to check if the SonicWall resolves to the old licensemanager ip.
Go to System | Diagnostic and then check if the name licensemanager.sonicwall.com resolves to 204.212.170.143, and check if the first (the internal DNS) is being used.

2) Then go to System | Certificate and check if you see the new imported certificate

3a) Go the System | Registration and click on Registration. If you are redirected to a Login Page then the workaround works
    Login with your mysonicwall.com credentials with your Username and Password
    (the same Password which you use for your mysonicwall.com account)

or...

3b) You can also go to System | Licenses | License renew (below the Synchronize button). If you click on this link, then it redirects you as well to the mySonicWall account . You should see here a Login Page as well