FIXED SEE UPDATE AT BOTTOM

TZ670 installed at what we call our HQ. My remote TZ600 was configured with a site to site VPN to the old gen6.5 that we had there. I did migrate the configuration using the tool. site to site to another cisco asa is working fine with very similar settings. I decided to rebuild the TZ600 tunnel completely on both sides, still wont connect. I see ISAKMP OAK AG and then "IKE Responder: Remote part Timeout" on the TZ670. On the TZ600 I see Phase 1 start, then complete (aggressive mode) followed by "IKE Initiator: Start Quick Mode (Phase 2). After that, nothing.

Anyone seen similar going to gen 7 and have a fix/solution?

TZ670 is on SonicOS 7.0.1-5161

TZ600 is on SonicOS Enhanced 6.5.4.15-116n

EDIT: TZ600 is behind NAT, but NAT traversal is enabled and was working prior.

FIXED:

I had been changing everything with this configuration including even rebuilding the tunnels on both ends. None of that worked. On a whim I set phase 2 to use 3DES and SHA1 with no PFS. It connected immediately. I made a bunch of changes to the proposals on phase 1 and phase 2 after this and they all worked. I set Phase 1 back to DH Group 5, AES-256 SHA256 and Phase 2 to ESP AES-256 SHA256 DH Group 5 and it's working like it's supposed to. I'm not sure if forcing phase 2 to use entirely different encryption on both ends cleared up some sort of stuck session or TCP port configuration, but that seems to have done the trick.