syed rahman
asked on
Configure 2 sonicwall firewalls in same building
Dear All,
Requirement:-
I need to configure two same firewalls (Sonicwall Nsa 240) in same building but different floors.
Issue:-
We have an Nsa 240 firewall in infrastructure but the problem is, the number of connection Nsa240 can handle is only 10,000 and we are reaching to almost around 12,000 connections which is causing bandwidth issue and also making the CPU utilization upto 95% to 99% and i cannot even access the firewall.
The biggest issues here is that,the users daily face internet slow issues and when they report issues i always see the sonicwall logs to confirm which machine is causing more connection.
I did all the work around to isolate the issue but it seems to be not working out for me.
Here is my workaround:-
The maximum connections that the NSA240 model can handle is 10,000 and i see sometimes the connections crosses the maximum limit where CPU utilization gets high and then the firewall goes into the not responding mode and will not come back normal unless i restart it. So after lot of investigations like bandwidth management, removing unnecessary policies in the firewall, deleting unused access rules/VPN, Disable the app flow monitor, increasing MTU to 1500 is what configured at the ISP end,Checked each one of the machine for Viruses, none has worked for me to overcome.
After all the above mentioned troubleshooting, the SonicWall folks have suggested to upgrade the hardware that can support our business requirement which is understood and needs to be followed.
So before we do hardware upgrade, we have decided to configure a spare firewall nsa240 which can share the load actually.
Now, i want to configure the new firewall on other floor and want to create communication with both firewalls as users needs to access the local resources.
The only option i see to have this work is either create a site to site VPN policy, or connect both firewalls with physical connectivity and configure a route in between.
Could someone suggest me what would be the best possible way i can get this done please?
Any help will be much appreciated.
Thanks
Kind Regards,
Syed Rahman
Requirement:-
I need to configure two same firewalls (Sonicwall Nsa 240) in same building but different floors.
Issue:-
We have an Nsa 240 firewall in infrastructure but the problem is, the number of connection Nsa240 can handle is only 10,000 and we are reaching to almost around 12,000 connections which is causing bandwidth issue and also making the CPU utilization upto 95% to 99% and i cannot even access the firewall.
The biggest issues here is that,the users daily face internet slow issues and when they report issues i always see the sonicwall logs to confirm which machine is causing more connection.
I did all the work around to isolate the issue but it seems to be not working out for me.
Here is my workaround:-
The maximum connections that the NSA240 model can handle is 10,000 and i see sometimes the connections crosses the maximum limit where CPU utilization gets high and then the firewall goes into the not responding mode and will not come back normal unless i restart it. So after lot of investigations like bandwidth management, removing unnecessary policies in the firewall, deleting unused access rules/VPN, Disable the app flow monitor, increasing MTU to 1500 is what configured at the ISP end,Checked each one of the machine for Viruses, none has worked for me to overcome.
After all the above mentioned troubleshooting, the SonicWall folks have suggested to upgrade the hardware that can support our business requirement which is understood and needs to be followed.
So before we do hardware upgrade, we have decided to configure a spare firewall nsa240 which can share the load actually.
Now, i want to configure the new firewall on other floor and want to create communication with both firewalls as users needs to access the local resources.
The only option i see to have this work is either create a site to site VPN policy, or connect both firewalls with physical connectivity and configure a route in between.
Could someone suggest me what would be the best possible way i can get this done please?
Any help will be much appreciated.
Thanks
Kind Regards,
Syed Rahman
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello David,
Thanks for the suggestions.
Agreed that having route among the two NSA's will not resolve my issue and your suggestion was very helpful. Thanks!
Hello Masnrock,
>>other DPI option will not have the same level of performance, that is still going to be an issue.
say suppose i change the DPI option to Maximum DPI Connections (DPI services enabled) instead of what i have currently set DPI Connections (DPI services enabled with additional performance optimizations), is the network performance going to be impacted or i would see little good internet performance after changing the DPI?
My biggest concern here is that, users are impacted with slow internet issue and i'm just looking out for an option where every user gets good internet connectivity/speed.
Also, the sonicwall team has suggested me to try changing the DPI option which should at least gives me the more connections just for now and ask me to monitor the performance for 1-2 days. They have also mentioned that, there isn't much difference in 2nd & 3rd DPI options and the performance will remain same.
Forgot to mention that, we have 2 leased lines with each 10MB speed. i was wondering after all of my investigations/workarounds
I'm planning to go for either NSA3600 or 4600 as you suggested but is it going to accept/compatible with the settings that i have currently? or anything will be lost and i have to do manually? i want to make sure before the upgrade everything is in place.
Thank you!
Hello Diverseit,
Thanks for the information and suggestion. The artical provided was very helpful though.
>>>example, now their lowest prduct model (TZSOHO) made for 1-3 users (micro office) can support what your NSA can...10,000 DPI connections. The TZ300 can handle 50,000 DPI connections.
As per my understanding, the TZ series is made for small office with less users connected where as NSA series is designed for the enterprise level.
>>If you provide how many nodes you are covering I can dial you in to a specific model.
Basically, we have 140 users currently behind the sonicwall and problem is as i mentioned, most of them face internet slowness issue. You might have read my issue in this thread. I suspect the users are surely going to be increased in coming days seeing the current business growth.
I have no issues, upgrading the FW but i'm thinking if the slowness issue remains same after the upgrade with the same current bandwidth then it will be NO SHOW for me and i would not be able to answers the management.
Each one of you have been a great help for me and i have learnt lot of troubleshooting in yours answers.. I must thank each one of you.
Kind Regards,
Syed Rahman
Thanks for the suggestions.
Agreed that having route among the two NSA's will not resolve my issue and your suggestion was very helpful. Thanks!
Hello Masnrock,
>>other DPI option will not have the same level of performance, that is still going to be an issue.
say suppose i change the DPI option to Maximum DPI Connections (DPI services enabled) instead of what i have currently set DPI Connections (DPI services enabled with additional performance optimizations), is the network performance going to be impacted or i would see little good internet performance after changing the DPI?
My biggest concern here is that, users are impacted with slow internet issue and i'm just looking out for an option where every user gets good internet connectivity/speed.
Also, the sonicwall team has suggested me to try changing the DPI option which should at least gives me the more connections just for now and ask me to monitor the performance for 1-2 days. They have also mentioned that, there isn't much difference in 2nd & 3rd DPI options and the performance will remain same.
Forgot to mention that, we have 2 leased lines with each 10MB speed. i was wondering after all of my investigations/workarounds
I'm planning to go for either NSA3600 or 4600 as you suggested but is it going to accept/compatible with the settings that i have currently? or anything will be lost and i have to do manually? i want to make sure before the upgrade everything is in place.
Thank you!
Hello Diverseit,
Thanks for the information and suggestion. The artical provided was very helpful though.
>>>example, now their lowest prduct model (TZSOHO) made for 1-3 users (micro office) can support what your NSA can...10,000 DPI connections. The TZ300 can handle 50,000 DPI connections.
As per my understanding, the TZ series is made for small office with less users connected where as NSA series is designed for the enterprise level.
>>If you provide how many nodes you are covering I can dial you in to a specific model.
Basically, we have 140 users currently behind the sonicwall and problem is as i mentioned, most of them face internet slowness issue. You might have read my issue in this thread. I suspect the users are surely going to be increased in coming days seeing the current business growth.
I have no issues, upgrading the FW but i'm thinking if the slowness issue remains same after the upgrade with the same current bandwidth then it will be NO SHOW for me and i would not be able to answers the management.
Each one of you have been a great help for me and i have learnt lot of troubleshooting in yours answers.. I must thank each one of you.
Kind Regards,
Syed Rahman
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My pleasure Syed. Good luck implementing the solution.
Kind regards,
David
Kind regards,
David
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Masnrock/Diversseit,
Thank you very much for your time and suggestions given. Those where really very helpful for me to understand.
I'm now planning to have my NSA240 upgraded to either 2600 OR 3600. I think 3600 would even better option for me to go with as it is far better than what i required performance perspective/DPI connections/other features. Also, i have Analyzer coming with NSA3600 which will be very important/beneficial for me to understand/trace the more bandwidth eating host in the network.
I have asked Sonicwall folks for the demo for NSA360 which has been scheduled for saturday day after tomorrow (Pending approval) and if not, definitely on Monday. As suggested by Masnrock, I'm now going to do the manual configuration from 240 to 3600.
I will update you guys on the same either on Saturday or Monday the status.
Hi ArneLovius,
On a 10mb connection, having 10k connections sounds a little high, do you know what form these connections are ? could somebody be running some P2P software (such as torrenting) or do you run an application that creates a LOT of connections ?
We have 2 ISP's with same 10MB connection (20MB) which servers the users OK at this point of time. I'm not sure if the users are having P2P software, but i have content filtering enabled which restrict the users downloads anything from the torrent website.
UltraSoft
But one thing i have noticed in firewall if i check the core processor, an application called (UltraSurf) utilizes 6% of the connections. I also have checked this specific machine for the same application but could not able to find out where it sits and i don't see it is installed AT ALL.
Again, Would like to thanks each one of you for taking time out and assisting me in this regard.
Thank you very much for your time and suggestions given. Those where really very helpful for me to understand.
I'm now planning to have my NSA240 upgraded to either 2600 OR 3600. I think 3600 would even better option for me to go with as it is far better than what i required performance perspective/DPI connections/other features. Also, i have Analyzer coming with NSA3600 which will be very important/beneficial for me to understand/trace the more bandwidth eating host in the network.
I have asked Sonicwall folks for the demo for NSA360 which has been scheduled for saturday day after tomorrow (Pending approval) and if not, definitely on Monday. As suggested by Masnrock, I'm now going to do the manual configuration from 240 to 3600.
I will update you guys on the same either on Saturday or Monday the status.
Hi ArneLovius,
On a 10mb connection, having 10k connections sounds a little high, do you know what form these connections are ? could somebody be running some P2P software (such as torrenting) or do you run an application that creates a LOT of connections ?
We have 2 ISP's with same 10MB connection (20MB) which servers the users OK at this point of time. I'm not sure if the users are having P2P software, but i have content filtering enabled which restrict the users downloads anything from the torrent website.
UltraSoft
But one thing i have noticed in firewall if i check the core processor, an application called (UltraSurf) utilizes 6% of the connections. I also have checked this specific machine for the same application but could not able to find out where it sits and i don't see it is installed AT ALL.
Again, Would like to thanks each one of you for taking time out and assisting me in this regard.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
I have now got the NSA3600 for DEMO. just wanted to double check before i proceed having it live, are all my current settings from the NSA20 going to be the same if i import to 3600? or anything will change and i will have to do it manually?
I have now got the NSA3600 for DEMO. just wanted to double check before i proceed having it live, are all my current settings from the NSA20 going to be the same if i import to 3600? or anything will change and i will have to do it manually?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, it should work. But as David and I have pointed, always verify. Generally, nothing will need to be done manually, but that doesn't apply 100 percent of the time.
ASKER
Hello Masnrock/David,
Update:-
After importing the settings from Nsa240 To 3600, the settings seems to be working fine. But unfortunately ran into an strange issue now.
Issue:-X2 (Secondary line) is not detecting.
Status:-No Link
After importing the settings, I don't see the secondary interface coming up and i see link status as (No Link) on X2 where as, the primary link has been up automatically without any issues.
Below is my Workaround for your reference:-
1> At first, i rebooted the firewall and Checked the X2 interface WAN configuration settings if anything missed out/shuffled up/down. Did not find any mismatch.
2>Restarted the ISP box/ Mux (Just to confirm) if it needs kick start after changing the Unit. (No luck)
3> Tried changing the interface speed to (Auto negotiate and 100/mb full duplex with no change.
4> Tried doing Manual configuration to port X2 with the secondary WAN Ip details (Just in-case) but did not work as well.
5>Checked connecting the secondary line coming directly from Mux to my individual laptop and verified the line is up/running fine.
6>Strange but noticed, when i tried interchanging the interfaces (X1 to X2 and X2 to X1), I see X2 shows port status after connecting the primary line but it doesn't show anything connected if i connect the secondary line to X2 and i'm really not sure what has happened.
7> Tried re-importing the settings but still gets the same results.
8>Tried shuffling the interfaces in default L&B group (No Luck).
I could see the primary connection is UP on X1 and if i connect to X2 also but the secondary line is not detecting the connection and doesn't show up anything it just shows (No Link)
Weird but noticed that, if i put the previous NSA240 back with both the lines, i see both are UP/running fine. Currently i have my old NSA240 put back but i have to put the new one to test it so that i can purchase the new NSA3600.
Any suggestions i can get for the troubleshooting.
Regards,
Syed Rahman
Update:-
After importing the settings from Nsa240 To 3600, the settings seems to be working fine. But unfortunately ran into an strange issue now.
Issue:-X2 (Secondary line) is not detecting.
Status:-No Link
After importing the settings, I don't see the secondary interface coming up and i see link status as (No Link) on X2 where as, the primary link has been up automatically without any issues.
Below is my Workaround for your reference:-
1> At first, i rebooted the firewall and Checked the X2 interface WAN configuration settings if anything missed out/shuffled up/down. Did not find any mismatch.
2>Restarted the ISP box/ Mux (Just to confirm) if it needs kick start after changing the Unit. (No luck)
3> Tried changing the interface speed to (Auto negotiate and 100/mb full duplex with no change.
4> Tried doing Manual configuration to port X2 with the secondary WAN Ip details (Just in-case) but did not work as well.
5>Checked connecting the secondary line coming directly from Mux to my individual laptop and verified the line is up/running fine.
6>Strange but noticed, when i tried interchanging the interfaces (X1 to X2 and X2 to X1), I see X2 shows port status after connecting the primary line but it doesn't show anything connected if i connect the secondary line to X2 and i'm really not sure what has happened.
7> Tried re-importing the settings but still gets the same results.
8>Tried shuffling the interfaces in default L&B group (No Luck).
I could see the primary connection is UP on X1 and if i connect to X2 also but the secondary line is not detecting the connection and doesn't show up anything it just shows (No Link)
Weird but noticed that, if i put the previous NSA240 back with both the lines, i see both are UP/running fine. Currently i have my old NSA240 put back but i have to put the new one to test it so that i can purchase the new NSA3600.
Any suggestions i can get for the troubleshooting.
Regards,
Syed Rahman
It is possible that things just did not map out correctly. Sometimes things like this do happen. Have you tried to manually recreate the WAN interface on X2?
Hi Syed,
Can you post details of the two circuits?
Are they both terminated in the same way? Are they from two different suppliers?
I've read through your post and I'd just like to double check that I've understood you correctly. When you plugged the primary circuit into X2, did it connect ? Likewise, when you plugged your secondary circuit into X1, what happened?
Can you post details of the two circuits?
Are they both terminated in the same way? Are they from two different suppliers?
I've read through your post and I'd just like to double check that I've understood you correctly. When you plugged the primary circuit into X2, did it connect ? Likewise, when you plugged your secondary circuit into X1, what happened?
ASKER
Hello David,
Thanks for the prompt response!!
1>Yes, both are from different suppliers.
In NSA 240, I have primary circuit configured on X1 and secondary circuit configured on X2. Now, after importing the settings from NSA240 to 3600, it should detect all my NSA240 settings right? So my Primary circuit (X1) detects automatically and connects immediately BUT the secondary circuit on X2 shows (No Link) so (Just to confirm the circuit is UP/running), i have checked it connecting direct ISP line to my Laptop and it connects with no issues where as it doesn't detects on my new NSA3600.
>>When you plugged the primary circuit into X2, did it connect ? Yes it connects, but i have to change the port configuration with primary WAN details.
>> when you plugged your secondary circuit into X1, what happened? It shows (No Link) Doesn't matter if i do manual configuration or if i import settings from 240 to 3600.
Doesn't matter where i plugged the secondary circuit say, X1,X2 it doesn't connects. Forget about connecting, it doesn't even shows the link is connected. If it shows some link status, i could understand that there is some configuration mismatch but unable to understand that it is connecting from my laptop but not from NSA3600 from either ports X1.X2.
Also, i tried shutting down the X2, and configured X3 in place of X2 with the secondary WAN IP details but still strange to see it doesn't even detects.
what i understood is that, (1)there is obviously no issues with Firewall ports (One Thing) (2) There is no issue with the secondary circuit because i have checked it connecting directly to my laptop and it connects just fine but when i try to put the secondary circuit in any of the interfaces, it doesn't detects the connection and says (No Link)
Thanks for the prompt response!!
1>Yes, both are from different suppliers.
In NSA 240, I have primary circuit configured on X1 and secondary circuit configured on X2. Now, after importing the settings from NSA240 to 3600, it should detect all my NSA240 settings right? So my Primary circuit (X1) detects automatically and connects immediately BUT the secondary circuit on X2 shows (No Link) so (Just to confirm the circuit is UP/running), i have checked it connecting direct ISP line to my Laptop and it connects with no issues where as it doesn't detects on my new NSA3600.
>>When you plugged the primary circuit into X2, did it connect ? Yes it connects, but i have to change the port configuration with primary WAN details.
>> when you plugged your secondary circuit into X1, what happened? It shows (No Link) Doesn't matter if i do manual configuration or if i import settings from 240 to 3600.
Doesn't matter where i plugged the secondary circuit say, X1,X2 it doesn't connects. Forget about connecting, it doesn't even shows the link is connected. If it shows some link status, i could understand that there is some configuration mismatch but unable to understand that it is connecting from my laptop but not from NSA3600 from either ports X1.X2.
Also, i tried shutting down the X2, and configured X3 in place of X2 with the secondary WAN IP details but still strange to see it doesn't even detects.
what i understood is that, (1)there is obviously no issues with Firewall ports (One Thing) (2) There is no issue with the secondary circuit because i have checked it connecting directly to my laptop and it connects just fine but when i try to put the secondary circuit in any of the interfaces, it doesn't detects the connection and says (No Link)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi Syed,
Thank you for the clarification.
A few more questions if I may?
When you plugged the secondary circuit into X2, or any port for that matter, what kind of activity do you see on the port LED's at either end? Can you any signs of negotiation between the ISP's NTE and the SonicWall, or is there little, or no activity?
Can I assume that you've tried multiple patch leads between the NTE and your SonicWall?
Can you supply details of the ISP's NTE?
What Firmware is running on the NSA3600?
Thank you for the clarification.
A few more questions if I may?
When you plugged the secondary circuit into X2, or any port for that matter, what kind of activity do you see on the port LED's at either end? Can you any signs of negotiation between the ISP's NTE and the SonicWall, or is there little, or no activity?
Can I assume that you've tried multiple patch leads between the NTE and your SonicWall?
Can you supply details of the ISP's NTE?
What Firmware is running on the NSA3600?
My last comment didn't make it up here.... could you make sure the firmware is on the latest stable version? Assuming that it's not, don't be afraid to take the 3600 back to factory, upgrade the firmware, then import the settings again.
Also, does the second ISP have a requirement for speed/duplex settings on the firewall port it's connected to?
Also, does the second ISP have a requirement for speed/duplex settings on the firewall port it's connected to?
ASKER
When you plugged the secondary circuit into X2, or any port for that matter, what kind of activity do you see on the port LED's at either end? Can you any signs of negotiation between the ISP's NTE and the SonicWall, or is there little, or no activity?
I could only see LED' blink for 2 seconds on both SonicWall and the ISP's NTE the moment i plugged in the cable and after 2seconds or Max 3 seconds, it goes NO LED/INDICATION which states that the link is connected at all.
Can I assume that you've tried multiple patch leads between the NTE and your SonicWall?
Yes, tried multiple patch leads. but just to keep you aware that, when i try any of the cable between NTE and Sonicwall, i have also cross checked that they are working if i connect directly from the NTE to my laptop with no issues (so informing you just to keep you aware)
Can you supply details of the ISP's NTE?
What details do you need for ISP's NTE? any specific details like what kind of device is it? or the model of the device or anything that i can help you with?
What Firmware is running on the NSA3600?
Current Firmware on 3600 is 6.2.11
I have 5.9.1.1 on NSA 240 currently.
Regards,
Syed Rahman
I could only see LED' blink for 2 seconds on both SonicWall and the ISP's NTE the moment i plugged in the cable and after 2seconds or Max 3 seconds, it goes NO LED/INDICATION which states that the link is connected at all.
Can I assume that you've tried multiple patch leads between the NTE and your SonicWall?
Yes, tried multiple patch leads. but just to keep you aware that, when i try any of the cable between NTE and Sonicwall, i have also cross checked that they are working if i connect directly from the NTE to my laptop with no issues (so informing you just to keep you aware)
Can you supply details of the ISP's NTE?
What details do you need for ISP's NTE? any specific details like what kind of device is it? or the model of the device or anything that i can help you with?
What Firmware is running on the NSA3600?
Current Firmware on 3600 is 6.2.11
I have 5.9.1.1 on NSA 240 currently.
Regards,
Syed Rahman
Thanks Syed.
The model number will be good. Also details of the type of circuit and the ISP may help.
As for the first thing to try: I would go with Mansrock's suggestion. Make sure the firmware is the most current on general release. Avoid version in development.
If the lights flash for only a couple of second and then stop, then negotiation is failing at early stage. Again Mansrock has already suggested that you check that that there isn't a manual configuration on you 240.
The model number will be good. Also details of the type of circuit and the ISP may help.
As for the first thing to try: I would go with Mansrock's suggestion. Make sure the firmware is the most current on general release. Avoid version in development.
If the lights flash for only a couple of second and then stop, then negotiation is failing at early stage. Again Mansrock has already suggested that you check that that there isn't a manual configuration on you 240.
ASKER
Hi Masnrock,
Thanks for your valuable inputs.
I'm not sure if 6.2.1.1. is the latest stable version or not but i was informed by the vendor to use it as this version is being used by them since couple of months and they see no issues with it so i had initially took 3600 back to the factory and had boot the 6.2.1.1. again (Assuming that i'm not missing any of the initially steps) then imported the settings on 6.2.1.1. from 240. I could try again calling SonicWall folks asking them if it is a stable version if you suggest and if they say it's not, i would upgrade to the stable version whatever they suggest.
Also, does the second ISP have a requirement for speed/duplex settings on the firewall port it's connected to?
Yes, there is.
Thanks for your valuable inputs.
I'm not sure if 6.2.1.1. is the latest stable version or not but i was informed by the vendor to use it as this version is being used by them since couple of months and they see no issues with it so i had initially took 3600 back to the factory and had boot the 6.2.1.1. again (Assuming that i'm not missing any of the initially steps) then imported the settings on 6.2.1.1. from 240. I could try again calling SonicWall folks asking them if it is a stable version if you suggest and if they say it's not, i would upgrade to the stable version whatever they suggest.
Also, does the second ISP have a requirement for speed/duplex settings on the firewall port it's connected to?
Yes, there is.
Looks like 6.2.6.1 is the current firmware version. If you can get hold of it, upgrading It will probably prove to be worthwhile.
ASKER
Hi Masnrock/David,
Update:-
i have successfully connected to the X2 with secondary ISP now after the firmware upgrade (6.2.5.1) suggested by sonicwall. i thought of upgrading to 6.2.6.1 as suggested by David, but sonicwall tech said that 6.2.6.1 firmware has few bugs that still needs to be rectified and i may see those issues after few days(Not aware of bugs they are talking about) but upgrading to the firmware did work for me.(THANKS FOR THAT SUGGESTION BOTH OF YOU)
Workaround:-
I have restored the 3600 to default factory settings,booted the 3600 with 6.2.5.1,configured each of the interfaces manually, and restarted the firewall then BOOM. i could see both connections up. Later i have imported my 240 settings to 3600.
After having all the users connected to the newly configured 3600 firewall, i can now see the utilization normalized which was not the case with 240 of course but only one issue now.
The users are not able to copy the War files which is about (100-150MB) in size to the remote servers hosted out of the network. They use to do it on 240 without any issues and it used to take Max 5 minutes of time for the transfer. But now after replacing the firewall, received few complaints that, they are not able to perform this task after the hardware upgrade but the internet performance is very good.
FYI,
I had this similar issue a couple months ago when i had upgraded the 240 firmware from 5.9.11 to 5.9.1.7 to optimize the network performance after seeings the slow throughput issue. I was also informed by the sonicwall folks that i have to upgrade the firmware at any cost in order to troubleshoot the throughput issues. Later after upgrading the firmware 5.9.1.1 to 5.9.1.7, users complaint the same War file issue that they were not able to push the files to remote servers. I had tried most of the troubleshooting and had sonicwall tech's also do some troubleshooting but none had worked to resolved the issue. Then next day, i thought let me give a try downgrading the firmware back to the old one 5.9.1.1 and see if that helps the user and YES users were able to do that after the downgrade.
This issue is very very important and i have to get it resolved at any cost because every alternate day we have some software releases so the War files needs to be pushed to the production servers that is hosted in remote location.
Any suggestions on this?
Update:-
i have successfully connected to the X2 with secondary ISP now after the firmware upgrade (6.2.5.1) suggested by sonicwall. i thought of upgrading to 6.2.6.1 as suggested by David, but sonicwall tech said that 6.2.6.1 firmware has few bugs that still needs to be rectified and i may see those issues after few days(Not aware of bugs they are talking about) but upgrading to the firmware did work for me.(THANKS FOR THAT SUGGESTION BOTH OF YOU)
Workaround:-
I have restored the 3600 to default factory settings,booted the 3600 with 6.2.5.1,configured each of the interfaces manually, and restarted the firewall then BOOM. i could see both connections up. Later i have imported my 240 settings to 3600.
After having all the users connected to the newly configured 3600 firewall, i can now see the utilization normalized which was not the case with 240 of course but only one issue now.
The users are not able to copy the War files which is about (100-150MB) in size to the remote servers hosted out of the network. They use to do it on 240 without any issues and it used to take Max 5 minutes of time for the transfer. But now after replacing the firewall, received few complaints that, they are not able to perform this task after the hardware upgrade but the internet performance is very good.
FYI,
I had this similar issue a couple months ago when i had upgraded the 240 firmware from 5.9.11 to 5.9.1.7 to optimize the network performance after seeings the slow throughput issue. I was also informed by the sonicwall folks that i have to upgrade the firmware at any cost in order to troubleshoot the throughput issues. Later after upgrading the firmware 5.9.1.1 to 5.9.1.7, users complaint the same War file issue that they were not able to push the files to remote servers. I had tried most of the troubleshooting and had sonicwall tech's also do some troubleshooting but none had worked to resolved the issue. Then next day, i thought let me give a try downgrading the firmware back to the old one 5.9.1.1 and see if that helps the user and YES users were able to do that after the downgrade.
This issue is very very important and i have to get it resolved at any cost because every alternate day we have some software releases so the War files needs to be pushed to the production servers that is hosted in remote location.
Any suggestions on this?
Always avoid the early release firmware if you can, but glad you're back on track.
Check out the Security Services settings. Try changing to Performance Optimized and see if that helps.
Check out the Security Services settings. Try changing to Performance Optimized and see if that helps.
Hi Syed,
You're not having much luck with this one, are you? :-). Stick with it though. I'm sure the solution is just around the next corner.
I have come across these sorts of issues with SonicWall's in the past and how I solved them isn't springing instantly to mind.
One thing that springs to mind, is using a firmware that you know works. This will have security implications though! Particularly as the version is quite old.
You're not having much luck with this one, are you? :-). Stick with it though. I'm sure the solution is just around the next corner.
I have come across these sorts of issues with SonicWall's in the past and how I solved them isn't springing instantly to mind.
One thing that springs to mind, is using a firmware that you know works. This will have security implications though! Particularly as the version is quite old.
ASKER
Hello Both,
Thanks for the suggestions.
Now that i'm back to both of the connections, i can run the 3600 but i always have on or other issue remains that impact the users work
Changing security services settings was my first step to resolve the issue and i changed to Performance Optimized but did not work.
Davin,
.
Yeah, using firmware we know that works is good sometimes to fight with the work impact, but one thing, is the 5.9.1.1 firmware supported on 3600?? i guess no because the functionality perspective both are far different so i think the firmware's also matters to have them run properly but i'm not sure.
Thanks for the suggestions.
Now that i'm back to both of the connections, i can run the 3600 but i always have on or other issue remains that impact the users work
Changing security services settings was my first step to resolve the issue and i changed to Performance Optimized but did not work.
Davin,
.
Yeah, using firmware we know that works is good sometimes to fight with the work impact, but one thing, is the 5.9.1.1 firmware supported on 3600?? i guess no because the functionality perspective both are far different so i think the firmware's also matters to have them run properly but i'm not sure.
Since you have support, you should be able to sign in and look at the older firmware available for the 3600. Will not promise you can downgrade that far on that device. I'd also get support at Sonicwall involved in case there's something they need to engineer (the times they have to patch firmware, it can take a few weeks for them to write it).
If you have access to the MySonicWall account associated with this device, then the firmware versions that will work with it will be detailed there. Usually the firmware is written for the whole family of devices, so it should work. However, be cautious and use this as a final option. Going backward in firmware will undoubtedly be a security risk.
ASKER
I will try to get a hold off with sonicwall team and see if they can help me sort this out.
But you folks have been really a great help for me to over come my ongoing issues with the effective suggestions and support and for this, i would like to thank you again for the prompt suggestion and taking your precious time out to respond to my questions.
I'll update the thread tomorrow with the latest updates after having a work with SonicWall tech team.
Regards,
Syed Rahman
But you folks have been really a great help for me to over come my ongoing issues with the effective suggestions and support and for this, i would like to thank you again for the prompt suggestion and taking your precious time out to respond to my questions.
I'll update the thread tomorrow with the latest updates after having a work with SonicWall tech team.
Regards,
Syed Rahman
Any new developments?
Answered
ASKER
At first thanks a bunch for your time for taking your time out and assisting me in this regard.
David,
>>Would you be able to post a little more information about what you're trying to achieve and perhaps a diagram?
Since we have internet slowdown issue in infrastructure where users are impacted, my requirement is to either split the traffic to reduce the current firewall burden, OR just upgrade the firewall. So before i upgrade the hardware, i want to make sure if i can configure the same firewall in different floor that anyway we have one in (spare)..
Another workaround i can do here is as per my understanding i can increase the number of connection in my Nsa240, here are the three options is see in my firewall if i go to firewall settings>>Advance:-
1>Maximum SPI Connections (DPI services disabled)
2>Maximum DPI Connections (DPI services enabled)
3>DPI Connections (DPI services enabled with additional performance optimizations)
Currently i have 3rd option selected which give me only 10,000 connections. So i think i can try with the second option (Maximum DPI Connections (DPI services enabled) which also will have my security services enabled BUT it will not inspect each packet unless the firewall receives the secured packed which needs to be inspected.
If this is also not going to give me any output, i suspect i would need to go with the upgrade but any other suggestions from you guys would be much appreciated.
Again, thank you for all your time and suggestions given.
Kind Regards
Syed Rahman