Enable TCP sequence number randomization & asymmetric routing relationship?
BillT
Newbie ✭
I have a SonicWALL NSa 2650 connected to a cisco 2960L router which then connects to a cisco 9200L switch.
my PC is connected to the 2960L router.
PC is 192.168.2.150, gateway 192.168.2.254
NSA2650 IP's 192.168.2.254, 192.168.98.1, and is default gateway for network.
9200L is doing SVI, and has 192.168.2.100, and 192.168.98.190 as it's Ip's default route is 192.168.98.1,
192.168.2.0 is VLAN1
192.168.98.0 is VLAN 98
I can ping the 9200L from my PC with no problems.
If I try telnet or SSH, it fails, and if I look in the switch packet monitor, it says "Packet dropped - cache add cleanup drop the pkt"
When I have the "Enable TCP sequence number randomization" option enabled, this continues to fail.
If I disable "Enable TCP sequence number randomization" SSH and Telnet work as expected. However this is considered an insecure practice.
Now from what I can tell My PC is sending packets to the firewall, which is then forwarding them to the 9200L switch. The switch, which is aware of the 192.168.2.0 network, just fires the packet back to my PC, not via the firewall. This seems to be the an asymmetric routing issue, because the path from my PC is not the path to my PC.
However, enabling the asymmetric routing option on the appropriate interfaces doesn't seem to fix this issue on the firewall.
Anyone have a solution to make this work, or do I need to redesign my network?
Thanks,
Best Answers
-
OptionsCORRECT ANSWER
TKWITS
Community Legend ✭✭✭✭✭
See the discussion here and come back with questions. I dont think 'TCP sequence randomization' has anything to do with your issue.
https://community.sonicwall.com/technology-and-support/discussion/comment/18299
0 -
OptionsCORRECT ANSWERArkwright
All-Knowing Sage ✭✭✭✭
Option 2 - redesign your network.
You need to decide whether you want to apply the UTM features to your internal traffic, and use the Sonicwall.
Or just plain old routing between internal networks and use your L3 switch.
0
Answers
Yeah, but the weird thing is, when I turn it off, it fixes the problem. Which might just be a lucky coincidence.
Thanks, this and ARKWRIGHT's answer are pushing me to the answer that I feel is correct, I need to change the system to make the firewall the router, and not use both the switch and the router.
Thanks, this you have cemented the issue for me, I need to change the network configuration to not use the SVI, because that is causing traffic to return via a different path, which makes the SonicWALL lose control of its data streams. I was trying to get the fastest data throughput, but I think I'll have to go a little slower, but in the end more secure and functional.