mhdcommunications
asked on
Too many open connections on TZ210
I have a very strange problem. I have a 3 location network:
1- Main location w/ NSA 2400
2 - Remote1 w/ TZ210
3 - Remote 2 w/ TZ210
There is a VPN Tunnel from Remote 1 & 2 to the Main location. The TZ210 on one of the remote networks started having problems a day or so ago. Every so often, the max connections are reached. The system uptime as of now is 22 days, and this issue only started happening recently. This also happened at the Main location. It was using a TZ210, but was upgraded to the NSA 2400 about 2-3 weeks ago due to the amount of nodes on the network, and the two VPN Tunnels. I have scanned the network for virus' using Symantec Endpoint Protection 12 with the most current definitions, individually scanned each PC w/ malwarebytes, and manually checked each PC for open connections, and cannot find anything wrong on the network. Sonicwall support advised me there is nothing wrong with their device, and there has to be a computer on the network w/ a virus. I simply cannot find it. I am utilizing the UTM services on the Sonicwall, which drops the max connections to 10,000. Even if i disable it and raise the max connections to 30,000, it still gets maxed out. Anyone have any idea's what's going on? Anyone else have this problem before? Anyone have any suggestions for me for troubleshooting?
Thanks in advance.
1- Main location w/ NSA 2400
2 - Remote1 w/ TZ210
3 - Remote 2 w/ TZ210
There is a VPN Tunnel from Remote 1 & 2 to the Main location. The TZ210 on one of the remote networks started having problems a day or so ago. Every so often, the max connections are reached. The system uptime as of now is 22 days, and this issue only started happening recently. This also happened at the Main location. It was using a TZ210, but was upgraded to the NSA 2400 about 2-3 weeks ago due to the amount of nodes on the network, and the two VPN Tunnels. I have scanned the network for virus' using Symantec Endpoint Protection 12 with the most current definitions, individually scanned each PC w/ malwarebytes, and manually checked each PC for open connections, and cannot find anything wrong on the network. Sonicwall support advised me there is nothing wrong with their device, and there has to be a computer on the network w/ a virus. I simply cannot find it. I am utilizing the UTM services on the Sonicwall, which drops the max connections to 10,000. Even if i disable it and raise the max connections to 30,000, it still gets maxed out. Anyone have any idea's what's going on? Anyone else have this problem before? Anyone have any suggestions for me for troubleshooting?
Thanks in advance.
digitap
If you go to System > Diagnostics, change the tool to Connections Monitor, then sort by source IP, which IP address has the most connections established through the sonicwall? If you're seeing a trend with the 210s, then it might not be malware. I know that was my first inclination. What firmware are you at on the 210s?
ASKER
SonicOS Enhanced 5.1.0.8-17o
Every time i try to look at the connection monitor while the problem is happening, the web interface locks up for so long, that the connections drop before it finishes sorting.
I should have mentioned, it's not consistant or regular. Very sporadic, and can last anywhere from 5-10 seconds, up to 5-10 minutes, then goes back to normal.
Every time i try to look at the connection monitor while the problem is happening, the web interface locks up for so long, that the connections drop before it finishes sorting.
I should have mentioned, it's not consistant or regular. Very sporadic, and can last anywhere from 5-10 seconds, up to 5-10 minutes, then goes back to normal.
5.1 is a little outdated. The General Release is at 5.6 and the Early Release is at 5.8. My gut says bug in the firmware and you should try to upgrade.
ASKER
I also dont believe it's malware. The problem is i dont have a clue what the problem is. I can stick with its a hardware problem/limitation, but my client wants answers, and i cant tell them to buy another NSA 2400 without justification, and proof. With Sonicwall telling me it's something on the network, im stuck between a rock and a hard place. I have to figure out what is going on, why, and prove it/fix it, but im lost. When it happens again, ill attempt to check the connection monitor, but i doubt ill be able to. I am also monitoring all traffic from the LAN to the SWITCH w/ Wireshark and Windows Network Monitor. I did this at the main location prior to replacing it's TZ 210 w/ a NSA 2400, but never found anything malicious or even suspicious.
Update the firmware.
ASKER
Wont be able to update the firmware until 5pm EST. Will post back tomorrow.
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Defective product