Best Of
Re: TZ670 Max DPI-SSL Connections not correct
Hi all, was this situation ever resolved? Datasheets still showing 35K/50K/75K for TZ470/570/670 but the UI says otherwise 30K for all.
Will there be an official statement on that?
--Michael@BWC
BWC
SonicOS 6.5.4.8 -> Mikrotik RouterOS 6.48.3 IKEv2 / PRF
Hi guys,
while struggling converting an old working configuration from a NSA 3500 over to a NSa 2650 I experienced that SonicOS is handling IKEv2 a bit different than before. The tunnel never comes up and the Mikrotik was complaing about not finding a peer for the provided IKE ID. Which is odd, because the new SNWL was configured exactly the same like before.
To get the tunnel working again I needed to configure the PRF Algorithm on the Mikrotik side:
It was related to the PRF Algorithm which isn't configurable on the SNWL side. AFAIK it has to be the same as configured for Authentication in the SNWL VPN Profile.
Cisco does it in a similar fashion according to this.
Hope this helps if someone else falls into this trap.
--Michael@BWC
BWC
Re: TZ400 SonicOS API - SSL Certificate
You, my friend, are a rock star! 🤩🤩🤩 Hopefully the Engineering team can help figure out the issue with the export or my work will have all been for naught. The only thing I could think to do otherwise would be to try to implement an entire SSH client in my application to use the CLI to do it, but putting all of that into my little .NET application seems a bit of overkill.
Either way, I suppose I'll work on the other elements to see if I can have them ready when Engineering comes back with the (working?) solution! Thank you yet again! 👊
Re: TZ400 SonicOS API - SSL Certificate
Thank you so much. I figured it was something like that, but this will honestly be my first time to really dig into the certificate process, so I wasn't sure where I was failing. I've got some "interesting" logic to build in my application in order to have it construct the JSON like that but, now that I have some "rules", I shouldn't have too much trouble getting it done.
BTW, does the CLI documentation spell these "rules" out better than that for the API? I have a feeling I'm going to run into things like this again at some point in my development process.
Re: New user account created in Primary/Active is not sync with Secondary/Standby in High Availability
Hi @George , did you try and add anything else like an Address object? it looks like it is not syncing correctly at all, like I said check the cables for the HA, if they appear to be correct and are showing in the HA Status as the link is up,
then I would remove the Secondary offline, remove all the cables from it,
connect to the MGMT interface, put the secondary in to safemode via a paperclip, then boot with the firmware with Factory defaults,
once the device is back up i.e. the ping to 192.168.1.254 is responding again then reconnect the HA cables only,
log in to the primary and go to HA/Status and wait for the Secondary to come back up, it will sync, then re-boot, once it shows as back online and the HA is synced then re-connect all the other cables, if you are connecting HA Interfaces via a switch I would recommend using a cable directly between Primary to the secondary HA Interfaces to rule out any issue with the switch.
preston
Re: Use RADIUS Filter-ID to add user to local group
When you're connected via L2TP already, you can't IMHO login to the Admin UI from the same IP because you can be authenticated only once.
Do you have a chance to connect to your WAN (X1) IP if you have it enabled on that interface?
--Michael@BWC
BWC
Re: Use RADIUS Filter-ID to add user to local group
Hi @MAMEY,
Could you please share the error message that you get when trying to login to the SonicWall GUI?
Re: Use RADIUS Filter-ID to add user to local group
Hi @mamey it's the other way around, your "Network Administrators" should be a Member of "SonicWall Administrators".
--Michael@BWC
BWC
