mritwonderful
asked on
Can't Pass Traffic on my SonicWall NSA 240
Hi, I need some help configuring a SonicWall NSA 240 with Enhanced 3.x OS
I have a network that consists of a Sonicwall NSA 240, three Linksys switch’s, some thin clients plugged into the Linksys switches and a server for the Thin Clients. I’m extending my network and placing some thin clients in other locations. I am attempting to do this by using my NSA 240 to segregate my network (exactly like I am currently doing with 2 other networks using NSA 4500’s). However, I haven’t been very successful. My current NSA 240 setup is this:
WAN = Transparent Mode – 201.50.0.10 – 255.255.0.0
Interface X3 = Thin Clients – Transparent Mode – Assigned a Thin Client Zone
Interface X8 = Server – Transparent Mode – Assigned a To a Server zone
Thin Clients Address Object - range from 201.50.2.130 – 180 - Assigned to the Thin Client Interface
Server Address Object is 201.50.2.1 - Assigned a to the Server Interface
Extended Thin Clients = 100 – 120 IP range coming in from WAN assigned to the Wan Interface
Firewall = Wide Open / Bi-Directional / any-any
Thin Clients setup with Static IP info
** Future setup will involve other networks passing through the WAN – 201.50.X.X and 201.50.X.X **
I’m trying to route my thin client switch’s into Interface X3 and out of Interface X8 and my extended clients coming in on the WAN (X1) to Interface X8 (when I route my WAN traffic out of an interface and into the thin client switch’s the thin client traffic starts going into the SonicWall and dropping packets instead of going straight to the Thin client server). Although I see that the traffic is getting to the NSA 240 and the ARP cache is building, the SonicWall keeps dropping “ARP” requests and “BOOTP” requests.
Any suggestion would be greatly appreciated.
I have a network that consists of a Sonicwall NSA 240, three Linksys switch’s, some thin clients plugged into the Linksys switches and a server for the Thin Clients. I’m extending my network and placing some thin clients in other locations. I am attempting to do this by using my NSA 240 to segregate my network (exactly like I am currently doing with 2 other networks using NSA 4500’s). However, I haven’t been very successful. My current NSA 240 setup is this:
WAN = Transparent Mode – 201.50.0.10 – 255.255.0.0
Interface X3 = Thin Clients – Transparent Mode – Assigned a Thin Client Zone
Interface X8 = Server – Transparent Mode – Assigned a To a Server zone
Thin Clients Address Object - range from 201.50.2.130 – 180 - Assigned to the Thin Client Interface
Server Address Object is 201.50.2.1 - Assigned a to the Server Interface
Extended Thin Clients = 100 – 120 IP range coming in from WAN assigned to the Wan Interface
Firewall = Wide Open / Bi-Directional / any-any
Thin Clients setup with Static IP info
** Future setup will involve other networks passing through the WAN – 201.50.X.X and 201.50.X.X **
I’m trying to route my thin client switch’s into Interface X3 and out of Interface X8 and my extended clients coming in on the WAN (X1) to Interface X8 (when I route my WAN traffic out of an interface and into the thin client switch’s the thin client traffic starts going into the SonicWall and dropping packets instead of going straight to the Thin client server). Although I see that the traffic is getting to the NSA 240 and the ARP cache is building, the SonicWall keeps dropping “ARP” requests and “BOOTP” requests.
Any suggestion would be greatly appreciated.
mattolan
if you have a support contract with sonicwall for this device I would call them, I have found their support staff very helpfull with such issues in the past, (although sitting on hold does suck)
ASKER
Unfortunately I do not have a support contract.
Can you post your current routing entries?
although I don't understand exactly why you have your firewall configured as completely wide open to the internet, it should be routing traffic. if it's not, then you might have a firewall rule blocking traffic. Firewall > Access Rules and check the thin client zone to the other zones you want to pass the traffic to.
ASKER
Digitap
I currently have it open just to see if I can get the traffic to pass, once I get this working I'll lock it down. I have no access rules blocking any traffic, nothing shows up in the logs as being dropped and being associated to a specific rule but if I do a Packet Capture I can see that the ARP Requests and the BOOTP traffic are getting dropped. I agree with you, It should be routing traffic.
I currently have it open just to see if I can get the traffic to pass, once I get this working I'll lock it down. I have no access rules blocking any traffic, nothing shows up in the logs as being dropped and being associated to a specific rule but if I do a Packet Capture I can see that the ARP Requests and the BOOTP traffic are getting dropped. I agree with you, It should be routing traffic.
ASKER
Jimmyray7,
As much as I would love to share them ( I know that would probably add some more insight to the issue ) I don't know if that would be possible but I will look into it tomorrow.
Thanks
As much as I would love to share them ( I know that would probably add some more insight to the issue ) I don't know if that would be possible but I will look into it tomorrow.
Thanks
Do the drop entries look something like this?
Ethernet Header
Ether Type: ARP(0x806), Src=[00:23:7d:eb:17:4a], Dst=[02:17:c5:11:91:9a]
ARP Packet:
ARP TYPE: ARP Response
Sender MAC Address: 00:23:7d:eb:17:4a
Sender IP Address: 192.168.201.103
Target MAC Address: 02:17:c5:11:91:9a
Target IP Address: 10.112.241.1
Value:[0]
DROPPED, Drop Code: 13, Module Id: 46, (Ref.Id: _259_jcpfngKpeqokpiCtrTgur
Ethernet Header
Ether Type: ARP(0x806), Src=[00:23:7d:eb:17:4a], Dst=[02:17:c5:11:91:9a]
ARP Packet:
ARP TYPE: ARP Response
Sender MAC Address: 00:23:7d:eb:17:4a
Sender IP Address: 192.168.201.103
Target MAC Address: 02:17:c5:11:91:9a
Target IP Address: 10.112.241.1
Value:[0]
DROPPED, Drop Code: 13, Module Id: 46, (Ref.Id: _259_jcpfngKpeqokpiCtrTgur
Here is a KB configuring transparent mode on the WAN interface. Maybe there's something here that might lead you to a solution.
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
ASKER
I will check the dropped entries tomorrow to verify if they are similar.
ASKER
digitap,
I checked the dropped entries and thier not the exact. Mine are "Drop Code 13" which is something like "No ARP Bridge Link established". What I'm thinking is I'll have to set up a L2 Bridge between X3 and X8 to get the traffic to pass and create another interface "X6" to transparent mode to pass the WAN traffic to the server. As soon as I get a chance to make the changes I will post my results.
I checked the dropped entries and thier not the exact. Mine are "Drop Code 13" which is something like "No ARP Bridge Link established". What I'm thinking is I'll have to set up a L2 Bridge between X3 and X8 to get the traffic to pass and create another interface "X6" to transparent mode to pass the WAN traffic to the server. As soon as I get a chance to make the changes I will post my results.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yep, thats the same article I saw earlier today. When I read the "Path Determination" thats what made me think that I'll have to go L2. Apparently I cant use Transparent Mode and route traffic through two separate interfaces while also using the WAN interface as a main ingress/egress point. At least thats how I'm interpreting it.
that's what i thought when you first indicated your configuration, but i've never tried it before...the article seems to indicate otherwise. i'm wondering, though, if a static arp would solve your challenge?
Was it a static arp? Thanks for the points!
I am having this same problem and my packets are being "consumed" the MAC address of the destination computer is completely different than the one listed in the packet I posted below. I don't know how to add a manual ARP. how do you do that? I have only one machine (not specific to an IP) that won't speak through the firewall to my VPN. I change the IP and it still fails.
Ethernet Header
Ether Type: IP(0x800), Src=[00:25:84:b8:a6:ff], Dst=[02:17:c5:16:64:3c]
IP Packet Header
IP Type: UDP(0x11), Src=[10.0.2.93], Dst=[10.10.0.54]
UDP Packet Header
Src=[51173], Dst=[6129], Checksum=0x8e4d, Message Length=20 bytes
Application Header
Not Known:
Value:[0]
Consumed, Module Id:21 1:0)
Ethernet Header
Ether Type: IP(0x800), Src=[00:25:84:b8:a6:ff], Dst=[02:17:c5:16:64:3c]
IP Packet Header
IP Type: UDP(0x11), Src=[10.0.2.93], Dst=[10.10.0.54]
UDP Packet Header
Src=[51173], Dst=[6129], Checksum=0x8e4d, Message Length=20 bytes
Application Header
Not Known:
Value:[0]
Consumed, Module Id:21 1:0)