Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Can't ping second LAN interface on NSa3650

I have a LAN zone on X20 with ip 10.0.50.1 connected to switch1 with IP 10.0.50.2 vlan 50. I have set up a second LAN zone on X18 with ip 192.168.0.18 going to the same switch with IP 192.168.0.17 vlan 900. Firewall and switch1 can ping both interfaces.

I have a second switch connected to switch1 that can ping 10.0.50.1 but when I try and ping 192.168.0.18 the firewall drops the packet with a 'DROPPED, Drop Code: 501(IP Spoof check failed recorded in module network)' error.

What am I missing?

Thanks.

Category: Mid Range Firewalls
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @PINALDPS,

    Could you please check which interface the dropped packets hit on the SonicWall for 192.168.0.18? The packet should hit the interface VLAN 900.

    IP spoof drop is something that firewall expects traffic on the right interface to which the corresponding subnetwork is bound to but the firewall receives the traffic on some other interface hence leading to a Spoof.

    Please verify and let us know.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • pinaldpspinaldps Newbie ✭

    It's coming in on the correct interface. Here's the packet detail:

    Ethernet Header

    Ether Type: IP(0x800), Src=[40:f0:78:21:d1:48], Dst=[2e:b8:ed:04:c9:0c]

    IP Packet Header

     IP Type: ICMP(0x1), Src=[10.0.0.10], Dst=[192.168.0.18]

    ICMP Packet Header

     ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 35430

    Value:[1]

    DROPPED, Drop Code: 501(IP Spoof check failed recorded in module network), Module Id: 25(network), (Ref.Id: _1601_krUrqqhEjgem) 1:1)

  • MgnfcntBstrdMgnfcntBstrd Newbie ✭

    I'm presuming the second switch is 10.0.0.10. What is the subnet mask on that network?

  • pinaldpspinaldps Newbie ✭

    Correct. 10.0.0.10/24.

    On the SonicWall 10.0.50.1/29 was the first LAN interface (x21) I set up and I have always been able to ping that fine. Pinging this new interface 192.168.0.18/29 from the second switch will route the exact same way until it gets to the first switch connected to the SW where vlan 900 is 192.168.0.27/29 and is connected to the x12 interface.

  • SaravananSaravanan Moderator

    Hi @PINALDPS,

    In your previous message, you failed to show the interface details on the dropped packet.

    Could you please share a screenshot of the dropped packet? Let me take a look.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • AjishlalAjishlal All-Knowing Sage ✭✭✭✭

    Hi @pinaldps

    most probably it would be a loop in the physical configuration of the Sonicwall and the devices connected to it. For instance, if a switch behind the SonicWall is connected both to the X0 (LAN) and another interface (X2,X3) of the SonicWall, it can cause IP Spoof messages if the switch does not have VLANs configured or not configured properly.

    More info pleas go through the below KB:


  • MgnfcntBstrdMgnfcntBstrd Newbie ✭

    Guessing the 27 is a typo for 17?

    Since 10.0.0.10 is not within the 10.0.50.0/29 subnet, the 10.0.50.2 switch would have to be a router, right?

    I'm guessing you have a static route in place on the SonicWALL to point 10.0.0.0/24 traffic at 10.0.50.2 as a gateway.

    Do you also have a static route in place on the SonicWALL to point 10.0.0.0/24 traffic at 192.168.0.17 as another gateway?

  • pinaldpspinaldps Newbie ✭

    Hey everyone. I wanted to thank you all for your suggestions and help with my problem. I finally realized that there was no reason to have a second interface from my switch to the firewall...the primary LAN interface was all I needed. I removed it, added the correct routes and an access rule and it fired right up.

    My firewall experience isn't the greatest and you all helped point me in the right direction and also learn.

    Thanks!

  • SaravananSaravanan Moderator

    Glad to hear that the issue is resolved and you are all set @PINALDPS.

    Have a good one!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.