Sonicwall Pro 2040 - Problem accessing a site

Hi, currently having an issue where our network cannot access - https://box.com

We can access it by its IP (74.112.184.73) but this takes you to https://11.app.box.com rather than box.com. We can also access the old site - https://www.boxcn.net/ and it works with any wildcard i.e something.box.com

Now sure where to go on this really. We don't have any content filtering on the firewall & I have tried open DNS and also going straight out from the firewall with a laptop plugged in, but it is exactly the same.

Only thing I can think of by looking in the Sonicwall logs is that it thinks it is some sort of attack. As you are going to one address but getting a different one back. The log we get is:

'Probable TCP NULL scan dropped 74.112.184.198, 0, WAN'

Anyone experienced this before or got any ideas ?


Thank you.
LVL 4
mfg1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

carlmdCommented:
It is the IPS that is catching this problem.

An explanation of IPS can be found in this manual

  ftp://ftp.sonicwall.com/pub/info/ips.pdf


The following is from the nmap manual about TCP NULL scans.
-sR (RPC scan)
This method works in conjunction with the various port scan methods
of Nmap. It takes all the TCP/UDP ports found open and floods them
with SunRPC program NULL commands in an attempt to determine
whether they are RPC ports, and if so, what program and version
number they serve up. Thus you can effectively obtain the same info
as rpcinfo -p even if the target´s portmapper is behind a firewall
(or protected by TCP wrappers). Decoys do not currently work with
RPC scan. This is automatically enabled as part of version scan
(-sV) if you request that. As version detection includes this and
is much more comprehensive, -sR is rarely needed.
0
mfg1Author Commented:
Hi, IPS isn't activated at all.

Is there any rule that can be created without having to add-on the IPS security?
0
carlmdCommented:
Adding IPS will not stop the problem, it is what I thought caused it.

I can freely access the https://box.com site from my office and I am behind a Sonciwall. It might have something to do with the fact that your PRO2040 is quite old, and may not do things the same as the newer devices.

Do you have the last verion of SonicOS for the PRO2040?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

mfg1Author Commented:
Yeah, we do have the latest version.

It is one of our customers with the issue. What is weird is we pulled their configuration and uploaded onto a spare one we have here, then changed the wan settings and we can access the site without any problems.

Only difference is we are on BT and they are on talktalk.
0
carlmdCommented:
If you connect a laptop directly to the ISP router at your customer location, can you access the site?
0
mfg1Author Commented:
Yeah, that works fine.
0
carlmdCommented:
If you can, my next step would be to bring the spare Sonciwall you configured with their setup to their office, plug it in and see what happens.
0
mfg1Author Commented:
Yeah that is already booked in for Thursday evening, so will see how that goes :)
0
Blue Street TechLast KnightCommented:
When you say
...pulled their configuration and uploaded onto a spare one we have here...
Did you do this manually or export/import settings? If it was a settings export/import was the firmware the same as the production unit or a lower version?

Are you running SonicOS standard or enhanced?

Are any of the following checked?
Network > DNS
Enable DNS Rebinding Attack Prevention
If yes, what is the action?
Firewall Settings > Advanced
Enable IP header checksum enforcement
Enable UDP checksum enforcement
Firewall Settings > Flood Protection
Enforce strict TCP compliance with RFC 793 and RFC 1122
        Enable TCP handshake enforcement
Enable TCP checksum enforcement
Enable TCP handshake timeout
What is the SYN Flood Protection Mode set to?

Security Services > Summary
What is the Security Services Setting to...Performance Optimized or Maximum Security?
0
mfg1Author Commented:
We exported then imported onto the new one. Both on the same firmware.

It is standard.

Network DNS > Can't find this setting on the 2040.

Firewall settings advanced >  Both are not enabled.

Firewall Settings Flood Protection > First two can't see these settings, bottom two are not enabled.

Security Services Summary > Can't see this setting on the 2040 within here.


Switched on all of these and tried again but no luck:

Enable IP Header checksum enforcement  
Enable TCP checksum enforcement  
Enable UDP checksum enforcement  
Enable ICMP checksum enforcement
0
Blue Street TechLast KnightCommented:
It could be a firmware bug.

I haven't seen anyone talk about rebooting the firewall. I know it's an obvious one but sometimes the obvious ones are glossed over for their very being.

Do you have an active CGSS license? If so, and if App Control or SSL Control are available disable both and retest. In fact if you haven't already disable all Security Services (if applicable) do so and retest.

When did this start occurring? If it was good previously try going into Safe Mode on the SonicWALL. To do that go to System > Settings menu (it will be
under the Firmware Management section) and there you can access the SafeMode menu and boot to last know configuration or the last stored firmware version.

The Pro 2040 has passed End of Support (EOS), which was July 1, 2013...so this would be an opportune time to get the customer into an NSA 2400 firewall upgrade, which is the recommended upgrade path by SonicWALL.

Let me know how it goes.
0
mfg1Author Commented:
Yeah the router has been rebooted a few times.

Not for this client unfortunately & all security services are disabled.

Hard to tell as they have only just started using https://box.com so cannot give a time frame.

Will have to try that out of hours, so will give it a go tonight as got maintenance booked in.

Yeah, we are trying to get them to upgrade to a new device, but sometimes asking a customer to spend 2000+ isn't an easy option :)

I did notice on mysonicwall there is - Newer Software Version 3.1.6.6-p_9s released but you need an active support contract to download it, therefore they are running on 3.1.6.5-p_8s. Can't seem to find it anywhere else on the net unfortunately either.
0
Blue Street TechLast KnightCommented:
Gotcha. Well here's hoping the previous firmware version will do it.
0
carlmdCommented:
Did you swap in your spare Sonicwall, and if so did it make any difference?
0
mfg1Author Commented:
Happening tonight Carl at 6pm UK time.
0
mfg1Author Commented:
Still didn't work with our spare one that we had here. Could not access the site still.

As it was just a plug and play test due to time constraints, we are going back at the weekend where we will have more time.

Going to factory default the Sonicwall and try again. Also going to take a TZ210 and try that.

Will update on Monday with the outcome.
0
carlmdCommented:
Since you will have a little time, I suggest that after you go to factory defaults and reset the interface addresses, that you try this site before you add any other programming. Essentially with nothing but the default Sonicwall settings.

At that point I assume it will work. Then add the rest one at a time starting with the security services, until it fails.

If it does not work as above, I would try the same with the TZ210, since it will have a later version of the SonicOS.
0
mfg1Author Commented:
Okay, don't really know what to say on this one.

We were planned to try the TZ210 last night & also try the 2040 with factory settings.

BUT!!!

Strangely the site is now working... I can't give you an answer as to why, as I don't know why? It hasn't worked for the past 10 days and all of a sudden you can access it without any problems.

Had it have just been myself who was working on this I would have said I am going mad, but 2 of my colleagues also tried to fix it with no joy.

Anyway a weird one, but the site is now accessible.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
Murphy in the house! My gosh! Well, I'm glad it's all taken care of!
0
Blue Street TechLast KnightCommented:
You can select your answer (http:#a39520374) to close this question.

Let me know if you have any questions!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.