Solved

Sonic wall dropped packet from only 1 host

Posted on 2015-01-17
5
1,110 Views
Last Modified: 2016-11-23
While trying to configure an IP timeclock at a remote location of which we have a VPN between 2 sonic walls. Local is NSA200 and remote is a z105.

Everything is and has been working until I notice that the server which holds our new payroll system cannot get to the remote LAN. After numerous tests, I had to look at the packet and found this

DROPPED, Drop Code: 191(SA not found on lookup by SPI for outbound pkt), Module Id: 20(ipSec),

I've opened a support case with dell but the 4-6 hours that I was supposed to hear back was over about 24 hours ago. Before I call on Monday I thought I would set it up here to make sure someone hasn't seen it before.

I've found this error on the knowledgebase but it didn't really offer a solution, only verified that this is in fact an error.

Perhaps if I knew for sure what the acronyms meant I could know where to look. SPI would be stateful packet inspection I assume and SA is ? Source Address?

Anyway, looking for any tips.
0
Comment
Question by:jmiller2781
5 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 40556396
the error means that the server falls outside the vpn route rule.

Double check the IP of this node, and then look at the rule,

i.e. your VPN rule is to allow Ips x-y to the remote LAN, but this server has an IP outside that range, Z.

The direction of the packet and the end on which it occured.,

server A rejected by local
server A passed through local rejected on the incoming side of the remote
server passed through local, passed through remote, the response is rejected by remote
server passed through local, passed through remote, the response is entered the remote, response rejected on the incoming local.

SA is security association dealing with VPN tunnel packet handling
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40556615
arnold is correct.

Somewhere that host, or the host it is trying to connect to,  says it must go through the VPN tunnel you have created.  One end of the VPN tunnel is not configured to allow one of the two host sthrough the tunnel.

My guess is that one of the two hosts is not in the same subnet as all other hosts that are using that tunnel.
0
 

Author Closing Comment

by:jmiller2781
ID: 40556865
I double checked, the Tunnel was for the entire subnet and even thought to assign a static address one above and one below the IP in question to test. Everything tested ok.

The comments and my test lead me to believe that there isn't an issue with the VPN or the firewall, rather perhaps the NIC or config on the server. There is a second NIC in the server used for some legacy PCs to files hare on a different LAN. Even though the sniffer shows the correct LAN address source 192.168.110.99, it must have been trying to use the 10.10.10.250 that I had setup for this net.

I disabled the second NIC and everything is working as expected. So I guess the issue is setting NIC 1 as primary. Or just move the file share to another box. Which shouldn't be too hard to do. Thanks for helping me work through things.
0
 
LVL 62

Expert Comment

by:btan
ID: 40557005
there is a VPN tunnel exchanges that failed from local to remote.

in fact, normally for such drop code message, I tend to see mostly due to failure in SA (security association) exchanges between local and remote end causes due to changes of FW blocking new IP addresses access.. and also any recent upgrade or refresh done on the two ends or routing changes, that will need to be verified VPN is alright for other host using the existing remote services.  The zone for the routing needed to be apply with the VPN policy too (esp your remote site).

there is one instance for traffic bound for remote behind a SonicWALL TZ 190W is dropped at the NSA appliance https://support.software.dell.com/kb/sw5849

Just side note on below pertaining to the term used in error msg
> SA is Security Association that depict rules that the end to end tunnel going to set up in accordance to this set of rules
> SPI is Security Parameter Index that is an ID added to the header used in IPsec tunnel traffic. Kinda of "ID" for different set of SA when each end talks to each other
0
 
LVL 62

Expert Comment

by:btan
ID: 40557006
Seems like it is terminal end not routing to the VPN zone then...
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now