Adding a Barracuda Link Balancer to a SonicWALL perimeter...
..or more accurately, placing a SonicWALL (SW) behind a Barracuda Link Balancer (BLB) 330.
Currently, our company network rests behind a BLB with three ISP connections. The BLB is in firewall mode with very few ports forwarded (Fonality system, and Daylite server). The folks in charge have decided that they would like to give some members of the staff VPN connectivity. The BLB has point-to-point capabilities, but not client-based or SSLVPN. There are obviously several options out there, and many of them are relatively expensive. Fortunately, I personally own a SW TZ215 we can test things with.
The issue is configuration. The SW is fine on its own with the primary ISP settings, but the BLB documentation lacks clarity regarding how things need to be configured. The documentation uses the scenario of Adding a BLB to an existing network, so I worked accordingly, resetting the BLB to factory (after saving a backup of the config), and following the instructions listed here:
https://techlib.barracuda.com/display/BLIBv24/Installation+in+Front+of+Your+Firewall
Unfortunately. once I attach a cable (even a crossover, per the instructions) from the LAN port of the BLB to the WAN port of the SW, everything grinds to a halt. Not only can I not get to the outside, but I can't even get back to the BLB to make any changes.
The BLB has 3 ISP connections (one primary and two backups), and the SW has the same ISP config on the WAN port as the primary on the BLB. I can prvide further details as necessary, but the basic configuration reflects Fig. 2 in the link below:
https://techlib.barracuda.com/display/BLIBV24/Deployment+Options
Since it's not functioning as it's supposed to, there's obviouly something wrong, but I can't find it. I would appreciate any advice you might have.
Thanks
Currently, our company network rests behind a BLB with three ISP connections. The BLB is in firewall mode with very few ports forwarded (Fonality system, and Daylite server). The folks in charge have decided that they would like to give some members of the staff VPN connectivity. The BLB has point-to-point capabilities, but not client-based or SSLVPN. There are obviously several options out there, and many of them are relatively expensive. Fortunately, I personally own a SW TZ215 we can test things with.
The issue is configuration. The SW is fine on its own with the primary ISP settings, but the BLB documentation lacks clarity regarding how things need to be configured. The documentation uses the scenario of Adding a BLB to an existing network, so I worked accordingly, resetting the BLB to factory (after saving a backup of the config), and following the instructions listed here:
https://techlib.barracuda.com/display/BLIBv24/Installation+in+Front+of+Your+Firewall
Unfortunately. once I attach a cable (even a crossover, per the instructions) from the LAN port of the BLB to the WAN port of the SW, everything grinds to a halt. Not only can I not get to the outside, but I can't even get back to the BLB to make any changes.
The BLB has 3 ISP connections (one primary and two backups), and the SW has the same ISP config on the WAN port as the primary on the BLB. I can prvide further details as necessary, but the basic configuration reflects Fig. 2 in the link below:
https://techlib.barracuda.com/display/BLIBV24/Deployment+Options
Since it's not functioning as it's supposed to, there's obviouly something wrong, but I can't find it. I would appreciate any advice you might have.
Thanks
Last Comment
ASKER
I won't be able to do that until after hours-- I was forced to revert everything as the business day started.
These are the things I can tell you despite that:
1. Are you able to access the SonicWALL's UI?
Yes.
2. Is the SonicWALL's CPU utilization spiking?
I didn't check at the time, but will on the next attempt.
3. Are there any logs regarding IP spoof protection?
I filtered the log and found IP Spoof Dropped messages during the time I attempted this setup
4. Is the WAN link up? If so, what is the negotiated speed/duplex?
I did not check at the time. It's still configured, but not connected.
5. What is the configuration of the WAN interface? (take care to anonymize IPs)
The WAN interface is set up identically to the Primary ISP config on the BLB
ISP Assigned Static Address
ISP Assigned Netmask
ISP Assigned Gateway
ISP's DNS 1
ISP's DNS 2
8.8.8,8
6. Have you created or modified any NAT policies? If so, what are they? (again, take care to anonymize IPs)
I created NAT Policies to mirror the Firewall setup on the BLB.
These are the custom NAT Policies (No IPs visible)
7. Which version of SonicOS is the appliance running (you can find this on System > Status)?
5.9.07
These are the things I can tell you despite that:
1. Are you able to access the SonicWALL's UI?
Yes.
2. Is the SonicWALL's CPU utilization spiking?
I didn't check at the time, but will on the next attempt.
3. Are there any logs regarding IP spoof protection?
I filtered the log and found IP Spoof Dropped messages during the time I attempted this setup
4. Is the WAN link up? If so, what is the negotiated speed/duplex?
I did not check at the time. It's still configured, but not connected.
5. What is the configuration of the WAN interface? (take care to anonymize IPs)
The WAN interface is set up identically to the Primary ISP config on the BLB
ISP Assigned Static Address
ISP Assigned Netmask
ISP Assigned Gateway
ISP's DNS 1
ISP's DNS 2
8.8.8,8
6. Have you created or modified any NAT policies? If so, what are they? (again, take care to anonymize IPs)
I created NAT Policies to mirror the Firewall setup on the BLB.
These are the custom NAT Policies (No IPs visible)
7. Which version of SonicOS is the appliance running (you can find this on System > Status)?
5.9.07
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
RE #5: Time for me to get a new pair of glasses, I think. I completely missed that in the diagram. I have a feeling that this is exactly where the problem lies-- I will report back when I try this again tomorrow or Thursday.
It's easy to miss a small detail like that. I often find that the biggest problems are caused by the smallest details.
Looking forward to hearing if this resolves the issue.
Looking forward to hearing if this resolves the issue.
ASKER
The problem was indeed Identical external IP addresses on each device. Problem solved. Thank you. :)
Admins, I forgot to add points to this question and would like to award 500 for this fix.
Admins, I forgot to add points to this question and would like to award 500 for this fix.
Glad to see that it's resolved :)
Networking
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.
102K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
I'm not very familiar with Barracuda products, so I'm going to approach this from the perspective of the SonicWALL.
Depending on the SonicWALL's configuration, it could be ARP defending for the entire WAN subnet. SonicOS is fairly strict, which is a good thing, but that can lead to wonky issues like this.
A few questions come to mind:
1. Are you able to access the SonicWALL's UI?
2. Is the SonicWALL's CPU utilization spiking?
3. Are there any logs regarding IP spoof protection?
4. Is the WAN link up? If so, what is the negotiated speed/duplex?
5. What is the configuration of the WAN interface? (take care to anonymize IPs)
6. Have you created or modified any NAT policies? If so, what are they? (again, take care to anonymize IPs)
7. Which version of SonicOS is the appliance running (you can find this on System > Status)?
It may also be helpful to collect a packet capture from the SonicWALL. This can tell us what's happening on the WAN link. To collect a capture, take the following steps:
1. Expand the System menu
2. Navigate to the Packet Monitor page
3. Click the Configure button
4. Go to the Monitor Filter tab
4a. Set the Ether Type field to IP
4b. Remove any filters from the remaining text boxes
4c. Ensure that "Enable Bidirectional Address and Port Matching" is checked
4d. Ensure that the remaining checkboxes are unchecked
5. Go to the Display Filter tab
5a. Ensure that all text boxes are empty
5b. Ensure that all checkboxes are checked
6. Go to the Advanced Monitor Filter tab
6a. Ensure that "Monitor Firewall Generated Packets. (This will bypass interface filter)" is checked
6b. Ensure that "Monitor Intermediate Packets" is checked
6c. Ensure that "Monitor intermediate reassembled traffic" is checked
6d. Ensure that "Monitor intermediate fragmented traffic" is checked
7. Click the OK button
8. Click the Start Capture button
9. Let the capture run for 5 to 10 minutes while you try to access the Barracuda and the Internet
10. From the Export as dropdown field, choose libpcap
11. From the Export as dropdown field, choose Text
12. Upload both files to this thread