gsmith888
asked on
strange packet loss
Experts,
I'm using a software called pingplotter and when I ping from LAN going to facebook or cisco I'm getting intermittent packet loss, around 30-40%.
When I use command prompt, the ping is fine no PL.
I tried a different computer, my laptop and same results. I'm using a sonicwall NSA 3500
Cheers!
I'm using a software called pingplotter and when I ping from LAN going to facebook or cisco I'm getting intermittent packet loss, around 30-40%.
When I use command prompt, the ping is fine no PL.
I tried a different computer, my laptop and same results. I'm using a sonicwall NSA 3500
Cheers!
ASKER
diverseit,
I also suspected the same, but when I plug my laptop to our cisco pix, it was graphing normally to cisco and facebook, I was thinking it's something on the sonicwall?
I also suspected the same, but when I plug my laptop to our cisco pix, it was graphing normally to cisco and facebook, I was thinking it's something on the sonicwall?
Gotcha.
What version is the SonicOS?
And is it Standard or Enhanced?
I need to know the answers to these questions to provide troubleshooting.
Also, go to Logs > Categories and enable all Categories by clicking the top of the Log Column check box, then click OK.
Re-test and see if anything pops up when you go there.
After that we can do a Packet Capture to figure what is happening but this depends on your SonicOS version & if its Enhanced.
What version is the SonicOS?
And is it Standard or Enhanced?
I need to know the answers to these questions to provide troubleshooting.
Also, go to Logs > Categories and enable all Categories by clicking the top of the Log Column check box, then click OK.
Re-test and see if anything pops up when you go there.
After that we can do a Packet Capture to figure what is happening but this depends on your SonicOS version & if its Enhanced.
ASKER
SonicOS enhanced 5.8.1.4-430
OK, thanks for the update.
Did you enable all Categories yet? Anything in the logs yet?
Are the MTU values the same in both the SonicWALL & PIX? If ISP made changes you can resize your MTU by decrementing it by 8 starting at 1500 until you get 0% loss. Open CMD prompt and use 'Ping -f -l www.google.com 1500' to test. Here is a step-by-step: https://www.experts-exchange.com/A_12615.html
Are any of the following checked?
Network > DNS
Did you enable all Categories yet? Anything in the logs yet?
Are the MTU values the same in both the SonicWALL & PIX? If ISP made changes you can resize your MTU by decrementing it by 8 starting at 1500 until you get 0% loss. Open CMD prompt and use 'Ping -f -l www.google.com 1500' to test. Here is a step-by-step: https://www.experts-exchange.com/A_12615.html
Are any of the following checked?
Network > DNS
Enable DNS Rebinding Attack Prevention
If yes, what is the action?
Firewall Settings > AdvancedIf yes, what is the action?
Enable IP header checksum enforcement
Enable UDP checksum enforcement
Firewall Settings > Flood ProtectionEnable UDP checksum enforcement
Enforce strict TCP compliance with RFC 793 and RFC 1122
Enable TCP handshake enforcement
Enable TCP checksum enforcement
Enable TCP handshake timeout
What is the SYN Flood Protection Mode set to?
Security Services > SummaryEnable TCP handshake enforcement
Enable TCP checksum enforcement
Enable TCP handshake timeout
What is the SYN Flood Protection Mode set to?
What is the Security Services Setting to...Performance Optimized or Maximum Security?
Ping is just that, ping. Pingplotter is a combination of ping and traceroute.
When you are dropping packets is the packets that are truly destine to cisco and facebook, or could it be some of the "traceroute" packets to routers along the path?
When you ping a L3 network devices (router, L3 switches, firewalls) will drop packets that are destine to them or have their TTL exipred. This is to cut down on the overhead of processing the packet. When a L3 device has to actually process a packet (resond to a ping, or a packet whose ttl has expired) it takes move overhead than when it just passes a packet through.
When you are dropping packets is the packets that are truly destine to cisco and facebook, or could it be some of the "traceroute" packets to routers along the path?
When you ping a L3 network devices (router, L3 switches, firewalls) will drop packets that are destine to them or have their TTL exipred. This is to cut down on the overhead of processing the packet. When a L3 device has to actually process a packet (resond to a ping, or a packet whose ttl has expired) it takes move overhead than when it just passes a packet through.
ASKER
All the settings were unchecked. Except for Enable TCP handshake timeout, handshake 30s, default tcp is 15 & max segment lifetime is 8.
I was watching the logs and notice that
This alert was low priority and base on the IPS policy low alerts are just detect and do nothing.
2013/09/20 23:19:10.592 Alert Intrusion Prevention IPS Detection Alert: ICMP Time-To-Live Exceeded in Transit, SID: 352, Priority: Low 8.8.8.8, 8, X1 192.168.118.29, 512, X0
I was watching the logs and notice that
This alert was low priority and base on the IPS policy low alerts are just detect and do nothing.
2013/09/20 23:19:10.592 Alert Intrusion Prevention IPS Detection Alert: ICMP Time-To-Live Exceeded in Transit, SID: 352, Priority: Low 8.8.8.8, 8, X1 192.168.118.29, 512, X0
Ok good. All settings we went over are at defaults then.
IPS: It is just detecting so its fine. If it were preventing it would read as such: Alert Intrusion Prevention IPS Prevention Alert...
TTL was exceed connecting to google DNS (8.8.8.8).
What about your MTU value? See comment http:#a39507342
Are all Categories enabled for the Logs?
IPS: It is just detecting so its fine. If it were preventing it would read as such: Alert Intrusion Prevention IPS Prevention Alert...
TTL was exceed connecting to google DNS (8.8.8.8).
What about your MTU value? See comment http:#a39507342
Are all Categories enabled for the Logs?
ASKER
I'm trying to back up the sonicwall before doing anything. I saw a button "create backup" and "export settings" - would you know the difference?
Yes, Create Backup - creates a backup of the SonicWALL image along with your current configuration preferences and stores it internally within the OS.
Export Settings takes your current configuration preferences (settings) and exports it externally so you can import it later if their are problems and you wish to restore.
I prefer the Export Settings because it is external and if things go really south like you have to perform a factory reset you can do so and then import the settings backup and configure nothing!
Here is the proper way to backup the settings: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5645
Export Settings takes your current configuration preferences (settings) and exports it externally so you can import it later if their are problems and you wish to restore.
I prefer the Export Settings because it is external and if things go really south like you have to perform a factory reset you can do so and then import the settings backup and configure nothing!
Here is the proper way to backup the settings: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5645
ASKER
logs were all turned on/checked. nothing is being returned for the source and destination. Would it be a good idea to turn off the IPS and then test and see how that goes?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm glad I could help...thanks for the points!
So PingPlotter is the only issue...meaning the results from it are incongruent with the results from all other computers using command prompt? All the computers (LAN/WLAN) are all showing no loss? And this is only occurring with 2 sites (facebook.com & cisco.com)? Am I understanding you correctly?
What version of PingPlotter are you using? There have been some bugs in later versions...I'm wondering if they've resurfaced in related forms. Here was an older bug: Are you experiencing performance degradation when browsing these sites?