Solved

Can't Pass Traffic on my SonicWall NSA 240

Posted on 2010-08-20
15
2,586 Views
Last Modified: 2012-05-10
Hi, I need some help configuring a SonicWall NSA 240 with Enhanced 3.x OS

I have a network that consists of a Sonicwall NSA 240, three Linksys switch’s, some thin clients plugged into the Linksys switches and a server for the Thin Clients. I’m extending my network and placing some thin clients in other locations. I am attempting to do this by using my NSA 240 to segregate my network (exactly like I am currently doing  with 2 other networks using NSA 4500’s). However, I haven’t been very successful. My current NSA 240 setup is this:

WAN = Transparent Mode – 201.50.0.10 – 255.255.0.0
Interface X3 = Thin Clients – Transparent Mode – Assigned a Thin Client Zone
Interface X8 = Server – Transparent Mode – Assigned a To a Server zone
Thin Clients Address Object - range from 201.50.2.130 – 180 - Assigned to the Thin Client Interface
Server Address Object is 201.50.2.1 - Assigned a to the Server Interface
Extended Thin Clients = 100 – 120 IP range coming in from WAN assigned to the Wan Interface

Firewall = Wide Open / Bi-Directional / any-any
Thin Clients setup with Static IP info

** Future setup will involve other networks passing through the WAN – 201.50.X.X and 201.50.X.X **

I’m trying to route my thin client switch’s into Interface X3 and out of Interface X8 and my extended clients coming in on the WAN (X1) to Interface X8 (when I route my WAN traffic out of an interface and into the thin client switch’s the thin client traffic starts going into the SonicWall and dropping packets instead of going straight to the Thin client server).  Although I see that the traffic is getting to the NSA 240 and the ARP cache is building, the SonicWall keeps dropping “ARP” requests and “BOOTP” requests.

Any suggestion would be greatly appreciated.
0
Comment
Question by:mritwonderful
15 Comments
 
LVL 2

Expert Comment

by:mattolan
ID: 33486939
if you have a support contract with sonicwall for this device I would call them, I have found their support staff very helpfull with such issues in the past, (although sitting on hold does suck)
0
 

Author Comment

by:mritwonderful
ID: 33487233
Unfortunately I do not have a support contract.
0
 
LVL 8

Expert Comment

by:jimmyray7
ID: 33489090
Can you post your current routing entries?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 33

Expert Comment

by:digitap
ID: 33489097
although I don't understand exactly why you have your firewall configured as completely wide open to the internet, it should be routing traffic.  if it's not, then you might have a firewall rule blocking traffic.  Firewall > Access Rules and check the thin client zone to the other zones you want to pass the traffic to.
0
 

Author Comment

by:mritwonderful
ID: 33495269
Digitap

I currently have it open just to see if I can get the traffic to pass, once I get this working I'll lock it down. I have no access rules blocking any traffic, nothing shows up in the logs as being dropped and being associated to a specific rule but if I do a Packet Capture I can see that the ARP Requests and the BOOTP traffic are getting dropped. I agree with you, It should be routing traffic.
0
 

Author Comment

by:mritwonderful
ID: 33495286
Jimmyray7,

As much as I would love to share them ( I know that would probably add some more insight to the issue ) I don't know if that would be possible but I will look into it tomorrow.

Thanks
0
 
LVL 33

Expert Comment

by:digitap
ID: 33495443
Do the drop entries look something like this?

Ethernet Header
Ether Type: ARP(0x806), Src=[00:23:7d:eb:17:4a], Dst=[02:17:c5:11:91:9a]
ARP Packet:
ARP TYPE: ARP Response
Sender MAC Address: 00:23:7d:eb:17:4a
Sender IP Address: 192.168.201.103
Target MAC Address: 02:17:c5:11:91:9a
Target IP Address: 10.112.241.1
Value:[0]
DROPPED, Drop Code: 13, Module Id: 46, (Ref.Id: _259_jcpfngKpeqokpiCtrTgurqpug) 1:0)

0
 
LVL 33

Expert Comment

by:digitap
ID: 33495497
Here is a KB configuring transparent mode on the WAN interface.  Maybe there's something here that might lead you to a solution.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
0
 

Author Comment

by:mritwonderful
ID: 33497685
I will check the dropped entries tomorrow to verify if they are similar.
0
 

Author Comment

by:mritwonderful
ID: 33512592
digitap,

I checked the dropped entries and thier not the exact. Mine are "Drop Code 13" which is something like "No ARP Bridge Link established". What I'm thinking is I'll have to set up a L2 Bridge between X3 and X8 to get the traffic to pass and create another interface "X6" to transparent mode to pass the WAN traffic to the server. As soon as I get a chance to make the changes I will post my results.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 33512656
I believe you are on the right track.  You might also consider adding a manual ARP entry.  Check out the link below to the differences between L2 and Transparent bridging.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5976&p=t
0
 

Author Comment

by:mritwonderful
ID: 33516952
Yep, thats the same article I saw earlier today. When I read the "Path Determination" thats what made me think that I'll have to  go L2. Apparently I cant use Transparent Mode and route traffic through two separate interfaces while also using the WAN interface as a main ingress/egress point. At least thats how I'm interpreting it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33517788
that's what i thought when you first indicated your configuration, but i've never tried it before...the article seems to indicate otherwise.  i'm wondering, though, if a static arp would solve your challenge?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33734864
Was it a static arp?  Thanks for the points!
0
 
LVL 5

Expert Comment

by:cmaohio
ID: 37926803
I am having this same problem and my packets are being "consumed" the MAC address of the destination computer is completely different than the one listed in the packet I posted below. I don't know how to add a manual ARP. how do you do that? I have only one machine (not specific to an IP) that won't speak through the firewall to my VPN. I change the IP and it still fails.


Ethernet Header
 Ether Type: IP(0x800), Src=[00:25:84:b8:a6:ff], Dst=[02:17:c5:16:64:3c]
IP Packet Header
 IP Type: UDP(0x11), Src=[10.0.2.93], Dst=[10.10.0.54]
UDP Packet Header
 Src=[51173], Dst=[6129], Checksum=0x8e4d, Message Length=20 bytes
Application Header
 Not Known:
Value:[0]
Consumed, Module Id:21 1:0)
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Which Switch is Switch - improving performance 9 63
VPN Connection WIndows 10 5 40
How to simulate latency? 5 28
When syspreping a clone machine 7 18
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question