?
Solved

Can't Pass Traffic on my SonicWall NSA 240

Posted on 2010-08-20
15
Medium Priority
?
2,684 Views
Last Modified: 2012-05-10
Hi, I need some help configuring a SonicWall NSA 240 with Enhanced 3.x OS

I have a network that consists of a Sonicwall NSA 240, three Linksys switch’s, some thin clients plugged into the Linksys switches and a server for the Thin Clients. I’m extending my network and placing some thin clients in other locations. I am attempting to do this by using my NSA 240 to segregate my network (exactly like I am currently doing  with 2 other networks using NSA 4500’s). However, I haven’t been very successful. My current NSA 240 setup is this:

WAN = Transparent Mode – 201.50.0.10 – 255.255.0.0
Interface X3 = Thin Clients – Transparent Mode – Assigned a Thin Client Zone
Interface X8 = Server – Transparent Mode – Assigned a To a Server zone
Thin Clients Address Object - range from 201.50.2.130 – 180 - Assigned to the Thin Client Interface
Server Address Object is 201.50.2.1 - Assigned a to the Server Interface
Extended Thin Clients = 100 – 120 IP range coming in from WAN assigned to the Wan Interface

Firewall = Wide Open / Bi-Directional / any-any
Thin Clients setup with Static IP info

** Future setup will involve other networks passing through the WAN – 201.50.X.X and 201.50.X.X **

I’m trying to route my thin client switch’s into Interface X3 and out of Interface X8 and my extended clients coming in on the WAN (X1) to Interface X8 (when I route my WAN traffic out of an interface and into the thin client switch’s the thin client traffic starts going into the SonicWall and dropping packets instead of going straight to the Thin client server).  Although I see that the traffic is getting to the NSA 240 and the ARP cache is building, the SonicWall keeps dropping “ARP” requests and “BOOTP” requests.

Any suggestion would be greatly appreciated.
0
Comment
Question by:mritwonderful
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 2

Expert Comment

by:mattolan
ID: 33486939
if you have a support contract with sonicwall for this device I would call them, I have found their support staff very helpfull with such issues in the past, (although sitting on hold does suck)
0
 

Author Comment

by:mritwonderful
ID: 33487233
Unfortunately I do not have a support contract.
0
 
LVL 8

Expert Comment

by:jimmyray7
ID: 33489090
Can you post your current routing entries?
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 33

Expert Comment

by:digitap
ID: 33489097
although I don't understand exactly why you have your firewall configured as completely wide open to the internet, it should be routing traffic.  if it's not, then you might have a firewall rule blocking traffic.  Firewall > Access Rules and check the thin client zone to the other zones you want to pass the traffic to.
0
 

Author Comment

by:mritwonderful
ID: 33495269
Digitap

I currently have it open just to see if I can get the traffic to pass, once I get this working I'll lock it down. I have no access rules blocking any traffic, nothing shows up in the logs as being dropped and being associated to a specific rule but if I do a Packet Capture I can see that the ARP Requests and the BOOTP traffic are getting dropped. I agree with you, It should be routing traffic.
0
 

Author Comment

by:mritwonderful
ID: 33495286
Jimmyray7,

As much as I would love to share them ( I know that would probably add some more insight to the issue ) I don't know if that would be possible but I will look into it tomorrow.

Thanks
0
 
LVL 33

Expert Comment

by:digitap
ID: 33495443
Do the drop entries look something like this?

Ethernet Header
Ether Type: ARP(0x806), Src=[00:23:7d:eb:17:4a], Dst=[02:17:c5:11:91:9a]
ARP Packet:
ARP TYPE: ARP Response
Sender MAC Address: 00:23:7d:eb:17:4a
Sender IP Address: 192.168.201.103
Target MAC Address: 02:17:c5:11:91:9a
Target IP Address: 10.112.241.1
Value:[0]
DROPPED, Drop Code: 13, Module Id: 46, (Ref.Id: _259_jcpfngKpeqokpiCtrTgurqpug) 1:0)

0
 
LVL 33

Expert Comment

by:digitap
ID: 33495497
Here is a KB configuring transparent mode on the WAN interface.  Maybe there's something here that might lead you to a solution.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979
0
 

Author Comment

by:mritwonderful
ID: 33497685
I will check the dropped entries tomorrow to verify if they are similar.
0
 

Author Comment

by:mritwonderful
ID: 33512592
digitap,

I checked the dropped entries and thier not the exact. Mine are "Drop Code 13" which is something like "No ARP Bridge Link established". What I'm thinking is I'll have to set up a L2 Bridge between X3 and X8 to get the traffic to pass and create another interface "X6" to transparent mode to pass the WAN traffic to the server. As soon as I get a chance to make the changes I will post my results.
0
 
LVL 33

Accepted Solution

by:
digitap earned 2000 total points
ID: 33512656
I believe you are on the right track.  You might also consider adding a manual ARP entry.  Check out the link below to the differences between L2 and Transparent bridging.

http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5976&p=t
0
 

Author Comment

by:mritwonderful
ID: 33516952
Yep, thats the same article I saw earlier today. When I read the "Path Determination" thats what made me think that I'll have to  go L2. Apparently I cant use Transparent Mode and route traffic through two separate interfaces while also using the WAN interface as a main ingress/egress point. At least thats how I'm interpreting it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 33517788
that's what i thought when you first indicated your configuration, but i've never tried it before...the article seems to indicate otherwise.  i'm wondering, though, if a static arp would solve your challenge?
0
 
LVL 33

Expert Comment

by:digitap
ID: 33734864
Was it a static arp?  Thanks for the points!
0
 
LVL 5

Expert Comment

by:cmaohio
ID: 37926803
I am having this same problem and my packets are being "consumed" the MAC address of the destination computer is completely different than the one listed in the packet I posted below. I don't know how to add a manual ARP. how do you do that? I have only one machine (not specific to an IP) that won't speak through the firewall to my VPN. I change the IP and it still fails.


Ethernet Header
 Ether Type: IP(0x800), Src=[00:25:84:b8:a6:ff], Dst=[02:17:c5:16:64:3c]
IP Packet Header
 IP Type: UDP(0x11), Src=[10.0.2.93], Dst=[10.10.0.54]
UDP Packet Header
 Src=[51173], Dst=[6129], Checksum=0x8e4d, Message Length=20 bytes
Application Header
 Not Known:
Value:[0]
Consumed, Module Id:21 1:0)
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question