Can't ping second LAN interface on NSa3650
pinaldps
Newbie ✭
I have a LAN zone on X20 with ip 10.0.50.1 connected to switch1 with IP 10.0.50.2 vlan 50. I have set up a second LAN zone on X18 with ip 192.168.0.18 going to the same switch with IP 192.168.0.17 vlan 900. Firewall and switch1 can ping both interfaces.
I have a second switch connected to switch1 that can ping 10.0.50.1 but when I try and ping 192.168.0.18 the firewall drops the packet with a 'DROPPED, Drop Code: 501(IP Spoof check failed recorded in module network)' error.
What am I missing?
Thanks.
Category: Mid Range Firewalls
0
Answers
Hi @PINALDPS,
Could you please check which interface the dropped packets hit on the SonicWall for 192.168.0.18? The packet should hit the interface VLAN 900.
IP spoof drop is something that firewall expects traffic on the right interface to which the corresponding subnetwork is bound to but the firewall receives the traffic on some other interface hence leading to a Spoof.
Please verify and let us know.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
It's coming in on the correct interface. Here's the packet detail:
Ethernet Header
Ether Type: IP(0x800), Src=[40:f0:78:21:d1:48], Dst=[2e:b8:ed:04:c9:0c]
IP Packet Header
IP Type: ICMP(0x1), Src=[10.0.0.10], Dst=[192.168.0.18]
ICMP Packet Header
ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 35430
Value:[1]
DROPPED, Drop Code: 501(IP Spoof check failed recorded in module network), Module Id: 25(network), (Ref.Id: _1601_krUrqqhEjgem) 1:1)
I'm presuming the second switch is 10.0.0.10. What is the subnet mask on that network?
Correct. 10.0.0.10/24.
On the SonicWall 10.0.50.1/29 was the first LAN interface (x21) I set up and I have always been able to ping that fine. Pinging this new interface 192.168.0.18/29 from the second switch will route the exact same way until it gets to the first switch connected to the SW where vlan 900 is 192.168.0.27/29 and is connected to the x12 interface.
Hi @PINALDPS,
In your previous message, you failed to show the interface details on the dropped packet.
Could you please share a screenshot of the dropped packet? Let me take a look.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @pinaldps
most probably it would be a loop in the physical configuration of the Sonicwall and the devices connected to it. For instance, if a switch behind the SonicWall is connected both to the X0 (LAN) and another interface (X2,X3) of the SonicWall, it can cause IP Spoof messages if the switch does not have VLANs configured or not configured properly.
More info pleas go through the below KB:
Guessing the 27 is a typo for 17?
Since 10.0.0.10 is not within the 10.0.50.0/29 subnet, the 10.0.50.2 switch would have to be a router, right?
I'm guessing you have a static route in place on the SonicWALL to point 10.0.0.0/24 traffic at 10.0.50.2 as a gateway.
Do you also have a static route in place on the SonicWALL to point 10.0.0.0/24 traffic at 192.168.0.17 as another gateway?
Hey everyone. I wanted to thank you all for your suggestions and help with my problem. I finally realized that there was no reason to have a second interface from my switch to the firewall...the primary LAN interface was all I needed. I removed it, added the correct routes and an access rule and it fired right up.
My firewall experience isn't the greatest and you all helped point me in the right direction and also learn.
Thanks!
Glad to hear that the issue is resolved and you are all set @PINALDPS.
Have a good one!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services