Solved

Sonic wall dropped packet from only 1 host

Posted on 2015-01-17
5
1,026 Views
Last Modified: 2016-11-23
While trying to configure an IP timeclock at a remote location of which we have a VPN between 2 sonic walls. Local is NSA200 and remote is a z105.

Everything is and has been working until I notice that the server which holds our new payroll system cannot get to the remote LAN. After numerous tests, I had to look at the packet and found this

DROPPED, Drop Code: 191(SA not found on lookup by SPI for outbound pkt), Module Id: 20(ipSec),

I've opened a support case with dell but the 4-6 hours that I was supposed to hear back was over about 24 hours ago. Before I call on Monday I thought I would set it up here to make sure someone hasn't seen it before.

I've found this error on the knowledgebase but it didn't really offer a solution, only verified that this is in fact an error.

Perhaps if I knew for sure what the acronyms meant I could know where to look. SPI would be stateful packet inspection I assume and SA is ? Source Address?

Anyway, looking for any tips.
0
Comment
Question by:jmiller2781
5 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 40556396
the error means that the server falls outside the vpn route rule.

Double check the IP of this node, and then look at the rule,

i.e. your VPN rule is to allow Ips x-y to the remote LAN, but this server has an IP outside that range, Z.

The direction of the packet and the end on which it occured.,

server A rejected by local
server A passed through local rejected on the incoming side of the remote
server passed through local, passed through remote, the response is rejected by remote
server passed through local, passed through remote, the response is entered the remote, response rejected on the incoming local.

SA is security association dealing with VPN tunnel packet handling
0
 
LVL 57

Expert Comment

by:giltjr
ID: 40556615
arnold is correct.

Somewhere that host, or the host it is trying to connect to,  says it must go through the VPN tunnel you have created.  One end of the VPN tunnel is not configured to allow one of the two host sthrough the tunnel.

My guess is that one of the two hosts is not in the same subnet as all other hosts that are using that tunnel.
0
 

Author Closing Comment

by:jmiller2781
ID: 40556865
I double checked, the Tunnel was for the entire subnet and even thought to assign a static address one above and one below the IP in question to test. Everything tested ok.

The comments and my test lead me to believe that there isn't an issue with the VPN or the firewall, rather perhaps the NIC or config on the server. There is a second NIC in the server used for some legacy PCs to files hare on a different LAN. Even though the sniffer shows the correct LAN address source 192.168.110.99, it must have been trying to use the 10.10.10.250 that I had setup for this net.

I disabled the second NIC and everything is working as expected. So I guess the issue is setting NIC 1 as primary. Or just move the file share to another box. Which shouldn't be too hard to do. Thanks for helping me work through things.
0
 
LVL 61

Expert Comment

by:btan
ID: 40557005
there is a VPN tunnel exchanges that failed from local to remote.

in fact, normally for such drop code message, I tend to see mostly due to failure in SA (security association) exchanges between local and remote end causes due to changes of FW blocking new IP addresses access.. and also any recent upgrade or refresh done on the two ends or routing changes, that will need to be verified VPN is alright for other host using the existing remote services.  The zone for the routing needed to be apply with the VPN policy too (esp your remote site).

there is one instance for traffic bound for remote behind a SonicWALL TZ 190W is dropped at the NSA appliance https://support.software.dell.com/kb/sw5849

Just side note on below pertaining to the term used in error msg
> SA is Security Association that depict rules that the end to end tunnel going to set up in accordance to this set of rules
> SPI is Security Parameter Index that is an ID added to the header used in IPsec tunnel traffic. Kinda of "ID" for different set of SA when each end talks to each other
0
 
LVL 61

Expert Comment

by:btan
ID: 40557006
Seems like it is terminal end not routing to the VPN zone then...
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Monitor bandwidth 3 45
L2 to EIGRP slow migration? 27 64
EIGRP Full Mesh 2 37
Latitude E6540 No Boot Device Found 12 31
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now