TZ210 problem getting traffic to pass through X2 interface
We've recently acquired a site that is using an older TZ210. I've connected the X2 interface, which is in the LAN zone, to our network (Cisco switch) however I cannot get traffic to pass over it. I only get a cryptic Enforced Firewall Rule message. I can ping the Cisco IP from the Sonicwall but pings from the Cisco interface to the Sonicwall fail. Below is a packet capture of the failure. The KB article on Enforced Firewall Rule failures didn't provide much insight and I'm not seeing anything in the debug logs. Also to note, this works fine at a 2nd site we acquired using an even older TZ200.
*Packet number: 1*
Bytes captured: 114, Actual Bytes on the wire: 114
Packet Info(Time:09/08/2021 15:56:07.528):
in:X2*(interface), out:--, DROPPED, Drop Code: 40(Enforced firewall rule), Module Id: 25(network), (Ref.Id: _5473_txGsIboemfJqQlu), 0:0)
Ether Type: IP(0x800), Src=[60:73:5c:f0:30:41], Dst=[00:17:c5:af:96:de]
IP Packet Header
IP Type: ICMP(0x1), Src=[10.15.0.77], Dst=[10.15.0.78]
ICMP Packet Header
ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 20536
Hex and ASCII dump of the packet:
0017c5af 96de6073 5cf03041 08004500 00640007 0000ff01 *......`s\.0A..E..d......*
a6d90a0f 004d0a0f 004e0800 50380002 00000000 0000000b *.....M...N..P8..........*
2e05abcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd *........................*
abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd abcdabcd *........................*
abcdabcd abcdabcd abcdabcd abcdabcd abcd *.................. *
TomG Newbie ✭
Thanks. I actually just found the problem a little bit ago. I found an article that indicated at least one option for Management had to be active on the interface for it to accept traffic. Doesn't make any sense to me since it's never going to be used for Management but checking those options on the interface did start allowing traffic to pass.0
How is the X2 interface configured, as a bridge? as a portsheild interface? what do your access rules look like? you haven't provided us much info.
For clarification, without enabling the Ping option under Management on the interface you won't get replies to pings. No management option should need to be enabled for the interface to pass other traffic.