Solved

Sonicwall TZ100 alert

Posted on 2014-02-24
  • Hardware Firewalls
  • Routers
  • Networking
  • Software Firewalls
  • Wireless Hardware
  • +1
22
2,419 Views
Last Modified: 2014-03-28
Hi,

I keep on getting this message but no idea where it comes from. My DHCP range is ok, no problems with that at all.

Time      ID      Category      Priority      Source      Destination      IP Protocol      Notes      Message
02/24/2014 15:16:00      1311      Network      Alert      68, X0      67                  DHCP Server: Resources of this pool ran out. Client Info: cid type : cid value : subnet are 1:0x24ab8164d52f:192.168.1.0

Please advise.
J.
0
Comment
Question by:janhoedt
  • 9
  • 5
  • 4
  • +1
22 Comments
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39882901
What is the subnet for your DHCP range? What is the DHCP lease time? This error sounds like it  exhausted the total number of available IP addresses to give out. Please verify that the number of active clients do not exceed the number allowed via DHCP.
0
 

Author Comment

by:janhoedt
ID: 39883391
Only 16 ip s are handed out in 192.168 range. Where can I limit the allowed ip s? Didn t set that option.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39883404
First you have to set the subnet mask properly. Based on the IP address you have on the network go to http://www.subnet-calculator.com/ and figure out the subnet mask you should go with to give enought IP addresses out. If subnet is ending in .240 then it will only give out 14 usable IP's one of which will go to your Sonicwall.

Once you have the correct scheme in place then go under Network - DHCP Server and make sure the settings are correct. You can increase or decrease the number of IP's given out on this page.
0
 

Author Comment

by:janhoedt
ID: 39885407
My DHCP settings are correct:  scope is 192.168.1234-240. Though static assigments are on 192.168.1.-0 to 233.
0
 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39885740
If your DHCP scope is 1.234 to 1.240, that is only 6 IP addresses you are giving to clients, meaning at any given time only 6 devices can be connected to your DHCP range. Is this what you want?

Apparently based on the error you are getting and the scope you have more devices asking for DHCP leases than you are giving out.
0
 

Author Comment

by:janhoedt
ID: 39886634
I want only 4 DHCP ip's to be used dynamically, the rest statically. Therefore I assign 192.168.1.234 to 240 dynamic ip pool, the rest static. That's my goal.
Nowhere I can see to limit the number of ip addresses.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39902443
You're only allowing 6 addresses to be given out dynamically, but how many devices are attempting to get addresses that way? That;s what you need to review. If the answer to that is more than 6, there's your problem.

When you say static, do you mean as in specifc machines being assigned the same address everytime they connect OR do you mean the machines having static IP addresses and therefore not using DHCP at all?
0
 

Author Comment

by:janhoedt
ID: 39904086
I want only 4 DHCP ip's to be used dynamically, the rest statically. Statically via dhcp. F.e. Iphone, Ipad get ip via dhcp but static/predefined ip. Underneath .234 (so 192.168.1.0 to 234) no dynamic ip s should be distributed.  If I distribute 234 to 240 via dhcp and I assign ip s f.e. 192.168.1.77 to my Iphone, why the dhcp resource runs out? I have never defined or restricted only 6 ip s  via dhcp. I have defined 234 to 240 and some other static leases.
0
 

Author Comment

by:janhoedt
ID: 39904089
6 dhcp dynamically I meant.
0
 

Author Comment

by:janhoedt
ID: 39904095
I don t see how 234 to 240 would restrict me 6 ip leases. Yes, 6 dynamic ip s, but they are in no way related to the static leases I distribute.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Expert Comment

by:Mandeep Khalsa
ID: 39904149
I don't understand the logic behind why you are doing things the way you are. The purpose of DHCP is to assign IP addesses so you don't have to keep track of who has which one. As people and their devices come and go, the IP's are automatically reassigned.

In an environment where servers and other important items like those are listed you either want to give those devices preference by assigning static IP's or create reservations.

In your case you are assuming that only 6 devices (maximum) on your network will be requesting DHCP at any given time.

Once those 6 devices connect, the next ones to try will not get an IP address. Also if your lease time is say 8 hours, those IP's that were previously assigned will not get reassigned until that time period has expired.

I have never seen an environment where DHCP is so restrictive but then again I am not in your shoes. So whatever your logic is behind it, the bottom line is 6 IP's will run out pretty fast and you will continue to get those messages.
0
 

Author Comment

by:janhoedt
ID: 39904222
It s my lab environment. There are no dhcp s unless visitors. 234 to 240 has full internet access , that was the idea.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39931441

I don t see how 234 to 240 would restrict me 6 ip leases. Yes, 6 dynamic ip s, but they are in no way related to the static leases I distribute.
 

this is probably true on the sonicwall but many dhcp servers will not differentiate between statis and dynamic range : you would define a range and setup static ips in that range which is the reason for the misunderstanding

---

now back to your problem : how long is your lease time ?
if the lease time is a week and you had 6 visitors on monday morning with a mobile phone or whatever device in their pockets, you blocked the 6 addresses for a week even if each of them only stayed for 10 seconds and they did not come at the same time.

it is possible that operations still run fine because the sonicwall might decide to reuse the addresses after a certain inactivity period regardless of the lease time. iin that case you'd end up with something that works although it is misconfigured, and with the above error messages

---

like @khalsa, i hardly understand the goal of such a restriction but if you actually want this, you need to setup the lease time to a VERY short period (1-5 mn tops)


---------

@kalsa

The purpose of DHCP is to assign IP addesses so you don't have to keep track of who has which one.

not quite. the main goals of dhcp are to centralise ip management and to allow for dynamic configuration of devices that are not always on the same network.

this does not mean that you would not want for example to apply specific ACLs or NAT rules to specific devices on the network segment you manage. the simplest way to do so is by assigning fixed addresses to them
0
 

Author Comment

by:janhoedt
ID: 39931465
Thanks. It s a home lab. There are no extra visitors besides my Iphone, Ipad. I assign predefined ip addresses to them via dhcp. My home lab servers are on fix ip/no dhcp. All devices have strict/limited Internet access. Ipad/iphone have http/https only, other devices predefined (like smtp). Dhcp addresses are only for vm s I create like appliances which need an initial ip to configure. I don t want them to have Internet access, so I set the dhcp scope 192.168.1.x to X as object in Sonicwall and grant no access. What s so not understandable about that? I don t get that. Sonicwall (yes, others like windows are different) ets you create a dynamic scope and a static scope only. I only want the dynamic scope to assign addresses which cannot access Internet, so there s my dynamic scope. Other ip s are predefined so static dhcp.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39931518
Something is either misconfigured or there is missing info. Flush out the dhcp leases, and connect all of the machines that are not supposed to use dhcp. Do not connect anything else to the network. Check at that  point if your dhcp range is getting taken up.

How exactly did you set up your static assignments? It sounds like you might have done that wrong. Please provide a screenshot.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39931584
Dhcp addresses are only for vm s I create like appliances which need an initial ip to configure. I don t want them to have Internet access, so I set the dhcp scope 192.168.1.x to X as object in Sonicwall and grant no access. What s so not understandable about that? I don t get that.

nothing. what i don't understand is the point of creating such a tiny range (i'd assume you have ips to spare)

what i said above about visitors and lease durations is also true if you call them vms.

i'm assuming you are on a trusted wired network with no accidental external access

you are the one who used the term visitors "There are no dhcp s unless visitors. 234 to 240 has full internet access , that was the idea. "
i'd assume you meant "no internet access"

would you mind answering to the question we asked regarding the lease duration ?


Sonicwall (yes, others like windows are different) ets you create a dynamic scope and a static scope only. I only want the dynamic scope to assign addresses which cannot access Internet, so there s my dynamic scope. Other ip s are predefined so static dhcp.

no problem with that, i was just clarifying the misunderstanding you had with @masnrock.

for the record, i was not referring to windows ( and i'm most definitely NOT a windows user ) but rather to a whole bunch of dhcp servers including ISC's dhcpd. actually that mode of operation is pretty much the one suggested by the RFC

in isc you would usually create an acl that denies access to everybody and assign it to a range. as far as i know/guess sonicwall actually runs dhcpd on a hacked freebsd and does exactly that.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39931591
note that when you virtualise, some virtualisation software will use random mac addresses so each time you boot the machine, you eat up an address for the defined lease duration time
0
 
LVL 20

Expert Comment

by:masnrock
ID: 39931787
skullnobrains did raise a good point with respect to VMs and how they handle MAC addresses.

BTW - When I was referred to DHCP in my last comment, I was referring to the dynamic assignments. I noticed you never mentioned whether the static addresses were indeed getting assigned correctly.
0
 

Author Comment

by:janhoedt
ID: 39945480
Static is ok, dyanmic is ok. There is no issue, only the errors I get from Sonicwall. Don't see where they are coming from.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39946262
to at your leases table and please answer : what is the lease duration time you configured for the dynamic pool ?
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39946298
also, even if you don't get what the problem is : make that pool bigger and the message will disapear. it may even be possible that sonicwall complains about addresses when it has less than maybe 10 adresses.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sonicwall Web User login Redirect 9 33
MOVING OFFICE / SERVER 22 74
NSD FAIL 2 22
reserve ip based on mac addresses 6 71
Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now