We help IT Professionals succeed at work.

Sonicwall TZ170 TCP, ICMP, and UDP packet from LAN / WAN Drop

24,591 Views
Last Modified: 2015-03-26
Yesterday, I started to receive multiple UDP packet drops. Spoke with Sonicwall support who had me upgrade the firmware to 3.1.0.15 Standard OS. Then things got more interesting. I started to see more packet drops with ICMP, TCP, and UDP. This happened all of the sudden after Sonicwall rebooted itself. Please look at the partial log below and let me know what could be the problem. 192.168.5.2 is Windows 2003 server running DNS, RRAS, and file server. I can't see anything wrong with server nor are any users having problems at this time. This is not a critical situtation but more towards knowing what is going wrong here.  




Problem: What can I do to fix this issue?

Cause: Yesterday Sonicwall TZ170 rebooted itself without cause (on battery backup - no power outage occured).


Sample LOG

02/16/2006 06:31:21.016 -       IPS Prevention Alert: POLICY SMTP Relay Denied, SID: 521, Priority: Low -       192.168.5.3, 25, LAN -  59.104.100.207, 4711, WAN -    
02/16/2006 06:31:58.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3348, LAN -        UDP Port:  3348
02/16/2006 06:32:14.448 -       ICMP packet dropped -   63.65.16.205, 3, WAN, 870.ATM1/0.GW2.CHI1.alter.net -   63.87.53.146, 1, WAN -  ICMP Type:   3, Code:   1
02/16/2006 06:33:06.368 -       ICMP packet dropped -   63.65.16.205, 3, WAN, 870.ATM1/0.GW2.CHI1.alter.net -   63.87.53.146, 1, WAN -  ICMP Type:   3, Code:   1
02/16/2006 06:33:10.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3357, LAN -        UDP Port:  3357
02/16/2006 06:33:12.048 -       Web management request allowed -        192.168.5.34, 1191, LAN -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:33:27.592 -       Administrator login allowed -   192.168.5.34, 0, LAN (admin) -  192.168.5.1, 80, LAN -  admin, TCP Web (HTTP)
02/16/2006 06:34:28.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3423, LAN -        UDP Port:  3423
02/16/2006 06:34:29.816 -       Web management request allowed -        192.168.5.34, 1292, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:35:36.576 -       Web management request allowed -        192.168.5.34, 1344, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:35:43.288 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3439, LAN -        UDP Port:  3439
02/16/2006 06:36:41.176 -       TCP connection dropped -        83.37.129.100, 16397, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 06:37:09.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3448, LAN -        UDP Port:  3448
02/16/2006 06:37:16.256 -       Web management request allowed -        192.168.5.34, 1375, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:38:14.032 -       TCP connection dropped -        83.37.129.100, 16732, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 06:38:14.048 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3460, LAN -        UDP Port:  3460
02/16/2006 06:38:26.672 -       Web management request allowed -        192.168.5.34, 1436, LAN (admin) -       192.168.5.1, 80, LAN -  TCP Web (HTTP)
02/16/2006 06:39:07.256 -       Administrator logged out -      192.168.5.34, 0, LAN (admin) -  192.168.5.1, 80, LAN -  admin, TCP Web (HTTP)
02/16/2006 06:39:39.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3466, LAN -        UDP Port:  3466
02/16/2006 06:40:57.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3473, LAN -        UDP Port:  3473
02/16/2006 06:42:09.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3488, LAN -        UDP Port:  3488
02/16/2006 06:44:08.704 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3494, LAN -        UDP Port:  3494
02/16/2006 06:45:11.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3501, LAN -        UDP Port:  3501
02/16/2006 06:46:15.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3513, LAN -        UDP Port:  3513
02/16/2006 06:47:55.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3516, LAN -        UDP Port:  3516
02/16/2006 06:49:27.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3522, LAN -        UDP Port:  3522
02/16/2006 06:49:36.688 -       TCP connection dropped -        83.37.129.100, 19491, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 06:50:35.128 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3538, LAN -        UDP Port:  3538
02/16/2006 06:51:47.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3544, LAN -        UDP Port:  3544
02/16/2006 06:52:53.144 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3559, LAN -        UDP Port:  3559
02/16/2006 06:53:56.832 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3571, LAN -        UDP Port:  3571
02/16/2006 06:54:58.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3590, LAN -        UDP Port:  3590
02/16/2006 06:56:00.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3605, LAN -        UDP Port:  3605
02/16/2006 06:57:16.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3617, LAN -        UDP Port:  3617
02/16/2006 06:57:57.192 -       TCP connection dropped -        63.160.97.169, 1646, WAN -      63.87.53.146, 445, WAN -        TCP Port:   445
02/16/2006 06:58:22.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3629, LAN -        UDP Port:  3629
02/16/2006 06:59:24.016 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3641, LAN -        UDP Port:  3641
02/16/2006 07:00:34.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3654, LAN -        UDP Port:  3654
02/16/2006 07:01:46.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3666, LAN -        UDP Port:  3666
02/16/2006 07:02:46.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3672, LAN -        UDP Port:  3672
02/16/2006 07:03:48.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3687, LAN -        UDP Port:  3687
02/16/2006 07:04:50.224 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3701, LAN -        UDP Port:  3701
02/16/2006 07:06:02.400 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3715, LAN -        UDP Port:  3715
02/16/2006 07:07:10.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3721, LAN -        UDP Port:  3721
02/16/2006 07:08:12.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3727, LAN -        UDP Port:  3727
02/16/2006 07:09:50.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3733, LAN -        UDP Port:  3733
02/16/2006 07:11:02.208 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3740, LAN -        UDP Port:  3740
02/16/2006 07:12:10.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3749, LAN -        UDP Port:  3749
02/16/2006 07:13:12.208 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3761, LAN -        UDP Port:  3761
02/16/2006 07:14:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3767, LAN -        UDP Port:  3767
02/16/2006 07:15:52.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3771, LAN -        UDP Port:  3771
02/16/2006 07:17:00.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3783, LAN -        UDP Port:  3783
02/16/2006 07:18:05.080 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3795, LAN -        UDP Port:  3795
02/16/2006 07:19:14.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3804, LAN -        UDP Port:  3804
02/16/2006 07:20:22.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3814, LAN -        UDP Port:  3814
02/16/2006 07:21:34.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3829, LAN -        UDP Port:  3829
02/16/2006 07:22:48.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3835, LAN -        UDP Port:  3835
02/16/2006 07:22:56.688 -       TCP connection dropped -        203.139.217.204, 3521, WAN -    63.87.53.146, 139, WAN -        TCP Port:   139
02/16/2006 07:23:56.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3844, LAN -        UDP Port:  3844
02/16/2006 07:25:32.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3857, LAN -        UDP Port:  3857
02/16/2006 07:26:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3872, LAN -        UDP Port:  3872
02/16/2006 07:27:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3875, LAN -        UDP Port:  3875
02/16/2006 07:29:04.224 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3884, LAN -        UDP Port:  3884
02/16/2006 07:30:12.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3897, LAN -        UDP Port:  3897
02/16/2006 07:31:32.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3909, LAN -        UDP Port:  3909
02/16/2006 07:32:38.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3921, LAN -        UDP Port:  3921
02/16/2006 07:33:11.768 -       TCP connection dropped -        83.37.129.100, 10125, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 07:33:51.512 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3933, LAN -        UDP Port:  3933
02/16/2006 07:34:52.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3948, LAN -        UDP Port:  3948
02/16/2006 07:36:06.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3955, LAN -        UDP Port:  3955
02/16/2006 07:37:58.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3958, LAN -        UDP Port:  3958
02/16/2006 07:39:00.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3964, LAN -        UDP Port:  3964
02/16/2006 07:39:00.416 -       TCP connection dropped -        80.28.31.182, 52731, WAN, 80-28-31-182.adsl.nuria.telefonica-data.net -         192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 07:40:10.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3974, LAN -        UDP Port:  3974
02/16/2006 07:41:38.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3983, LAN -        UDP Port:  3983
02/16/2006 07:42:52.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 3992, LAN -        UDP Port:  3992
02/16/2006 07:43:42.176 -       TCP connection dropped -        81.224.165.178, 61795, WAN -    192.168.5.5, 139, LAN -         TCP Port:   139
02/16/2006 07:44:40.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4004, LAN -        UDP Port:  4004
02/16/2006 07:44:47.288 -       TCP connection dropped -        83.37.129.100, 12679, WAN, 100.Red-83-37-129.dynamicIP.rima-tde.net -   192.168.5.6, 32821, LAN -       TCP Port: 32821
02/16/2006 07:46:06.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4011, LAN -        UDP Port:  4011
02/16/2006 07:47:14.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4020, LAN -        UDP Port:  4020
02/16/2006 07:49:26.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4029, LAN -        UDP Port:  4029
02/16/2006 07:50:34.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4036, LAN -        UDP Port:  4036
02/16/2006 07:51:56.192 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4045, LAN -        UDP Port:  4045
02/16/2006 07:53:02.176 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4054, LAN -        UDP Port:  4054
02/16/2006 07:54:32.608 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4064, LAN -        UDP Port:  4064
02/16/2006 07:55:37.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4073, LAN -        UDP Port:  4073
02/16/2006 07:56:55.800 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4085, LAN -        UDP Port:  4085
02/16/2006 07:59:05.240 -       UDP packet from LAN dropped -   192.168.5.2, 53, LAN -  192.168.5.1, 4091, LAN -        UDP Port:  4091
Comment
Watch Question

All these UDP drops from LAN appear to be DNS responses from the 2k3 server to 192.168.5.1... Not sure if that helps but that's all I can really gather from this. Maybe check your Access rules to see if DNS is denied somewhere.

Author

Commented:
I knew the UDP packet drops were related to DNS. The access rule is in place for wan (anywhere) to 192.168.5.2 (allow). This seems to be going the other way, lan 192.168.5.2 to 192.168.5.1 (firewall). this should not be happening. I checked all the settings on the DNS which is suppose forward all request to an outside-ISP DNS. DNS Event Viewer has no errors, I cleared the cache and reloaded the server files.  
Right... as these are just responses you won't see any DNS errors. UDP doesn't do any error checking for a good receive of packets. So the server sends the response and thinks it's good to go.

There has to be some kind of access rule that's denying specific traffic from the LAN that's included DNS somehow. It's definately going to be a SonicWALL issue, nothing on the server.

Author

Commented:
Here are the rules. There is one new rule which added on top of these, anywhere to lan (anywhere) deny. This was the default deny rule. The udp packets were being dropped before this rule.

1, priority 1, HTTPS Management, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 LAN
       dst IP 192.168.5.1-192.168.5.1 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added y, for remote access n, auto-added mgmt y, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Auto-added management rule
2, priority 2, HTTP Management, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 LAN
       dst IP 192.168.5.1-192.168.5.1 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added y, for remote access n, auto-added mgmt y, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Auto-added management rule
3, priority 3, Retrieve E-Mail (POP3), Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.3-192.168.5.3 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: POP3
4, priority 4, Send E-Mail (SMTP), Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.3-192.168.5.3 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: SMTP
5, priority 5, IMAP4, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.3-192.168.5.3 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added y, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 1
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Windows Networking Support
6, priority 6, HTTPS, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.3-192.168.5.3 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 1
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Web Server
7, priority 7, Name Service (DNS), Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.2-192.168.5.2 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: DNS
8, priority 8, Web (HTTP), Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.3-192.168.5.3 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Web Server
9, priority 9, File Transfer (FTP), Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.3-192.168.5.3 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: FTP
10, priority 10, Key Exchange (IKE), Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 ANY
       dst IP 192.168.5.1-192.168.5.1 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable y, auto-added y, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 1
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Auto-added inbound IKE rule
11, priority 11, Key Exchange (IKE), Allow, Enabled
       src IP 192.168.5.1-192.168.5.1 LAN
       dst IP 0.0.0.0-255.255.255.255 ANY
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable y, auto-added y, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 1
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Auto-added outbound IKE rule
12, priority 12, PPTP, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 ANY
       dst IP 192.168.5.2-192.168.5.2 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 1
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: RAS
13, priority 13, PPTP, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 ANY
       dst IP 192.168.5.3-192.168.5.3 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 1
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: PPTP SK2
14, priority 14, PC Anywhere, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 192.168.5.2-192.168.5.30 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: PC ANY
15, priority 15, Terminal Services, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 ANY
       dst IP 192.168.5.2-192.168.5.10 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: TS
16, priority 16, LDAP, Allow, Disabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 0.0.0.0-255.255.255.255 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: LDAP
17, priority 17, File Transfer (FTP), Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 ANY
       dst IP 0.0.0.0-255.255.255.255 ANY
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: FTP
18, priority 18, IPSec (ESP), Allow, Disabled
       src IP 0.0.0.0-255.255.255.255 ANY
       dst IP 0.0.0.0-255.255.255.255 ANY
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: IPSEC
19, priority 19, Any, Deny, Enabled
       src IP 192.168.5.4-192.168.5.5 LAN
       dst IP 224.0.0.1-224.0.0.2 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: all-system mcast
20, priority 20, Any, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 OPT
       dst IP 0.0.0.0-255.255.255.255 WAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment:
21, priority 21, Any, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 LAN
       dst IP 0.0.0.0-255.255.255.255 LAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment:
22, priority 22, Any, Allow, Enabled
       src IP 0.0.0.0-255.255.255.255 LAN
       dst IP 0.0.0.0-255.255.255.255 WAN
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment: Any
23, priority 23, Any, Deny, Enabled
       src IP 0.0.0.0-255.255.255.255 WAN
       dst IP 0.0.0.0-255.255.255.255 OPT
      timed 0, 0:00 - 0:00, Sun to Sun
      nonDeletable n, auto-added n, for remote access n, auto-added mgmt n, timeout 5
       allow fragments 0
        bandwidth mgmt: enabled 0 guaranteed 0.000 maximum 0.000 priority 0
        Comment:
 
Nothing wrong there... the next thing it could be is if the DNS is taking so long to respond that it's timing out the NAT session. Or if there's any kind of NAT policy that causes the request to come in on one IP but end up responding on another (thus making it not have a valid session to respond on.) That would also explain why the packets are going to the firewall IP.

So next thing to check would be the NAT policies. You also might run a packet trace from the SonicWALL on the server IP and see if it yields any useful info.

Author

Commented:
I don't have any specific policy for NAT. It's very simple. I have 1 to 1 NAT, and dhcp using NAT for all clients. DNS in NAT was 192.168.5.2 (1), ISP (2), and ISP (3). Kind of redundant. Nothing pointing to the firewall. I did the packet trace which shows the information being transferred from and to 192.168.5.2 which happens to be dns request being forwarded and replied by ISP DNS.
Well, that would only leave a timeout issue... You could try increasing some timeouts. But at this point if it's not causing any failures that you know of I'm pretty much out of ideas.
I think you are getting UDP scanned.

Look at the time-stamps and the port numbers.  Starting low at port 3348 at 6:30, scanning up to 4091 by 8:00

That's a lot of ports in a short time period... I can't think of any other good reason why all of those UDP ports would be accessed in such a short time.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
For anyone who has error 800 or 807 when using PPTP VPN on a windows server through a SonicWall UTM device, the solution is to use the Public server wizard to enable PPTP.  It doesn't work when manually creating the rules in many cases.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.