Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

VLAN problem on NSA 2600 - losing access to physical interface

I have a NSA 2600 that we use a backup firewall, and want to tunnel segregated Guest traffic from Unifi AP's to this firewall. I have setup a virtual interface on X0 (X0:V615), enabling DHCP server on this virtual interface (172.16.20.1).

When I connect my phone to the test Guest SSID, it gets an IP address on the V615 IP range (172.16.20.X), so communication to the firewall is working, however, we then lose access to the physical interface IP (10.0.0.2). We have to wait from a few hours to a week for the NSA to sort itself out. We have seen loads of ARP requests in the logs, and made the change to the diag settings to limit these to 100 per 60 secs, but it still drops the connection. Also the Data Plane is constant 99%.

The ping results are very sporadic and we can't access the firewall, e.g:

Reply from 10.0.0.2: bytes=32 time=4ms TTL=64

Request timed out.

Reply from 10.0.0.2: bytes=32 time=5ms TTL=64

Reply from 10.0.0.2: bytes=32 time=5ms TTL=64

Reply from 10.0.0.2: bytes=32 time=5ms TTL=64

Request timed out.

Reply from 10.0.0.2: bytes=32 time=3ms TTL=64

Request timed out.

Reply from 10.0.0.2: bytes=32 time=5ms TTL=64

Request timed out.

Request timed out.

Request timed out.

Reply from 10.0.0.2: bytes=32 time=5ms TTL=64

Has anybody experienced this before? Is it an issue on the Sonicwall?

Category: Mid Range Firewalls
Reply

Answers

  • GMPGMP Newbie ✭

    A few items come to mind

    • Spanning Tree root for vlan 615. Assuming that the NS 2600 is connected to a switch fabric, assure that the spanning tree root for vlan 615 is on the switch that is directly connected to the SonicWall. If the spanning tree root is on the wrong switch, it will affect performance.
    • CPU load. Look at the Live Monitor, especially Multi-Core Monitor. If the CPU is pegged performance will suffer.
    • Check the firmware version. A firmware bug pegged the CPU, when external blacklists were used. It was repaired with a hotfix. Assure that the firmware is the latest release. ("enable dynamic botnet list" download causing CloudSyncTask to reach 100% usage. This is reported under issue ID: GEN6-2190.)

    I hope that this helps

    Greg

  • Hi Greg,

    STP is on the fabric switch (HPE 5130 in HA). I can ping the Sonicwall from the phone, and get an IP address from DHCP (which is on the Sonicwall for that VLAN), so connectivity (I don't think) is the issue. Multi-core monitor is showing that all 3 cores for Data Plane is at 99%. Firmware of this device is 6.5.3.3.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    6.5.3.3 is quite old, the latest being 6.5.4.8, so get to upgrading!

    What is the purpose of getting to the IP of the Sonicwall physical interface 10.0.0.2 from your GUEST VLAN? Did the symptoms exist prior to introduction of the VLAN?

Sign In or Register to comment.