Solved

Sonicwall NSA 2400 random internet dropouts

Posted on 2011-02-25
22
9,687 Views
Last Modified: 2013-11-16
Hello. We are having some trouble with our firewall.

Here goes :

We have a Sonicwall NSA 2400 updated to the latest firmware (SonicOS Enhanced 5.8.0.1-31o) providing internet connectivity to our lan users. However, at random interval, several times per day, we lose internet connectivity for up to a minute each time.

Here is some data we have been gathering :

The ISP doesn't seem to be at fault. we have verified this by splitting up the wan connection two ways to the sonicwall device and to a WRT54G router (each being assigned their own external IP addresses). While experiencing an internet dropout from behind the Sonicwall, users behind the cheap router were still able to surf the net.
Whenever there is a "dropout", it is only new connections to the internet that do not work. Open connections remain open. This has been verified with a number of services (RDP, VPN, http transfers, FTP transfers...). I have been able to keep one such file transfer (throttled) for 4 days without interruption, even while the users were getting internet dropouts
Whenever there is a dropout, the link to the internet is not saturated. We verify this with the Real-Time monitor tool of the firewall's interface that shows about 20% bandwidth usage (incoming or outgoing, or both).
While there is a dropout, pings to the internet won't go through (either to a DNS name or to an IP address)
While there is a dropout, the ping tool from the Sonicwall's System Diagnostics page is unable to ping a target on the internet. When the internet works, we can ping our provider's gateway and the ping time is always lower then 1ms

Any ideas on how to resolve this issue?

Thanks!
0
Comment
Question by:stanelie
  • 10
  • 9
22 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34982095
have you gone through the basics such as statically setting the speed/duplex on the wan interface?  100MB/Full, 100MB/Half, etc.  have you confirmed your MTU?  what kind of internet connection do you have?  what do the logs say?  are you licensed for the security services on the sonicwall?

MTU:

http://www.experts-exchange.com/viewArticle.jsp?articleID=3110
0
 

Author Comment

by:stanelie
ID: 34982413
I've played with the auto-negociate - manual setting of the link speed in the past, no change.

Our internet is provided by a optical fiber converted to ethernet with a Planet FT-802S15 media converter. The link is 5 mbps.

The maximum MTU test command I can run through is "ping www.google.com -f -l 548". That would make for a MTU of 576. However, the Sonicwall interface does not permit a setting lower then 580. I did this test while connected through the Sonicwall and while connected directly to the optical fiber transceiver. Same result both times.

We have no security product licensed on our Sonicwall.

Which log are you interested in?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34982501
interesting MTU results.

i'd leave the wan interface at 100mb/full.

go to the soincwall > log.  do you see, in general, anything there that might indicate an issue?

also, have you made any custom settings on the sonicwall or is pretty much out of the box? i'm wondering if the thing should be reset to factory defaults and configured with very little settings changes.
0
 

Author Comment

by:stanelie
ID: 34982634
In the course of trying to fix that issue, the unit has been reset to factory defaults at least 5 times, using different and older firmware versions. The issue was the same.

As for the log, I'm no expert, so, I wouldn't know what to look for. Also, it is a bit hard to see it while the problem is occurring, since the issue is intermittent. Is there any simple way to capture the log?
0
 

Author Comment

by:stanelie
ID: 35041743
Well,

I built a pfsense firewall to switch out the sonicwall device, I get the same results, I get the same dropouts with the pfsense firewall as I do with the nsa 2400.

I then switched out all the ethernet cables, no change.

I also put switched out the main switch (linksys srw2048) with a spare device, no change.

What else is there?

Any ideas will be very welcome.

0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35041752
what kind of equipment is your ISP using? what kind of internet connection do you have? the common element between the sonicwall and pfsense is NAT. i assume the hosts hanging off the cheap switch you used to split the internet in the beginning had public IP addresses and were not behind anything NAT'ing it to the internet, right?
0
 

Author Comment

by:stanelie
ID: 35041772
I do not know what the ISP is using at their end, all we have at our end is a optical cable connected to a small transceiver, out of which comes an ethernet cable. That cable is usually connected to the wan interface of the  Sonicwall.

During my tests, I had the ethernet cable coming out of the transceiver connected to a switch and that switch had two other branches coming out : one to the sonicwall, the other one to the wrt54g. So, both subnets were being nat'ed, only the sonicwall and wrt54g had public IP addresses. During that test period, when the network would die for the hosts behind the sonicwall, those behind the wrt54g would still be able to surf the net. One of the differences waas that there were about 50 computers behind the sonicwall, and only one behind the wrt54g.

I will do that test again on monday just to make sure I got it right the first time.

0
 
LVL 33

Expert Comment

by:digitap
ID: 35041779
no, i think you answered my question. trying to think what could be different. it would be easy to say the sonicwall has an issue, but with pfsense, it really opens it up to just about anything.
0
 

Author Comment

by:stanelie
ID: 35059624
Ok,

I just confirmed that the WAN is probably not at fault, I just had a failure for all the users behind the sonicwall while my test machine behind the wrt54g was fine.

My setup is pretty simple : workstations --> srw2048 switch --> sonicwall --> WAN
So far, I tried switching out the switch, the sonicwall and the cables. What else is there?

Could something coming from the lan users be causing some kind of "denial of service" on the sonicwall (or pfsense, as was the case when I put it in place of the sonicwall)? If so, how can I find it?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35060441
when you get the time outs, go to your sonicwall. firewall > connections. if there is a DoS going on, you'll see a device with an abnormal number of connections to the internet. you can sort by source. also, if it's spamming, then you might want to consider creating a firewall rule before your exchange rule denying any smtp traffic LAN > WAN.

a DoS is certain a good explanation of what you are seeing. check out this question that just closed. they were experiencing the same thing as you and found it was DoS.

http://rdsrc.us/sNRhqe
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:stanelie
ID: 35100246
Ok,

Just had an outage again, the connection count on the sonicwall was 419, very far from the 225000 maximum.

Thoughts?
0
 
LVL 33

Expert Comment

by:digitap
ID: 35100311
hmmm. yes, i don't have 50 users behind my sonicwall and i have 320 connections. that's probably not the case.

we're having a similar issue with a client of our on Cox cable. they have a tz210 and intermittently they lose internet. Cox said they see that the LAN connection on the cable modem is dropping as if a cable has come unplugged. restarting the cable modem and sonicwall brings everything back online.

they instructed us to reset the sonicwall to factory defaults and reapply the settings. we've done that and we're waiting for user feedback. this work was done yesterday and there is no one in the office today.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35109362
update: the sonicwall appears to be online as of yesterday evening, but this was without any traffic, so we're not sure the factory reset was effective. we have a tech on-site now working with the users. i'll add an update as it comes in.
0
 
LVL 33

Expert Comment

by:digitap
ID: 35111289
another update: i had a tech on site when we lost connectivity. the tech went into the diag.html page of the sonicwall. we clicked a button called "Send System ARPs" and this cleared up the down issue straight away. with the latest firmware, we have a check box called "Periodically broadcast system ARPs every..." which was deselected by default. we checked it and the default setting was 60 min. something we noticed was the sonicwall would lose connectivity every hour, so we enabled this for 15 min. however, on the hour, we lost connectivity and sending the system ARPs again did nothing for our connectivity. either waiting for a few minutes or restarting the sonicwall resolves the issue. we believe our sonicwall is defective.

what i'd recommend to you is to go to the diag page, http://sonicwall_ip/diag.html (you have to login first to the main page), then click the button to send system arps. if this resolves your connectivity issue, then you might consider having the sonicwall periodically send them and closer intervals than one hour.

it's also possible that your sonicwall is defective, but without proper troubleshooting (and coming very near to raising the dead), sonicwall will not replace your 2400 under warranty.

hope that helps!
0
 

Author Comment

by:stanelie
ID: 35111347
Ok,

I'll be on the lookout for the next outage and I'll try clicking on that button to see if it helps. I'll keep you posted.

0
 

Author Closing Comment

by:stanelie
ID: 35241689
Did not really find the solution, but working through the possible culprits helped.
0
 

Author Comment

by:stanelie
ID: 35241706
So, it was the ISP after all.

The told us last week "we'll be cutting the service for a few hours while we work on the firewall". And they did, and after that, no more outages.

Thanks a lot for the help!
0
 
LVL 33

Expert Comment

by:digitap
ID: 35314817
sure...thanks for the points! glad you got it working!
0
 

Expert Comment

by:HappyHubby
ID: 39024934
I am having the same problem and would like to tell our ISP what changes were made.  Any idea what was done to the firewall by the ISP?
0
 

Author Comment

by:stanelie
ID: 39024945
Hello.

Sadly, the problems came back and we ended up switching to a better ISP...

Sorry I can't be more help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now