Unknown Ether type ingress dropping packets
Twizz728
Newbie ✭
I'm starting to get complaints from a customer that they can no longer connect to a intranet site hosted by our vendor. I have a VPN gateway that is connecting to the vendors site and now the vendor site is failing connection requests. I can't ping the vendor site and when I look through the packet monitor I'm seeing packets being dropped.
Ethernet Header
Ether Type: 0x8ffd(0x8ffd), Src=[b8:37:b2:c4:97:ac], Dst=[ff:ff:ff:ff:ff:ff]
Ethernet Type: Unknown
Value:[0]
DROPPED, Drop Code: 17(Unknown Ether type ingress.), Module Id: 16(fwCore), (Ref.Id: _3085_kprwvJqqm) 1:1)
It is showing in packet monitor the the X6 interface is the ingress for this connection, but this device and this IP I'm doing the packet monitor on is on the X0 LAN interface. My X6 interface is used for my public or guest network, so I'm not for sure why this is showing up on packet monitor.
Does anyone know why the packets would be dropping? There was a comment on an earlier thread that was talking about an Aruba instant on device. Strange enough, I installed an Aruba Instant On Switch and AP22 last week around the time this started happening, but those devices are on a completely separate interface and subnet. Not for sure why that would come into play.
Thanks!
Answers
Sonicwalls only handle IP, so if you see "unknown ethertype" then it's not IP and probably not relevant to your problem.
If you don't want to see packets on X6 then put X0 in the interface filter.
@Arkwright No I want to see all the traffic from a particular IP, but I couldn't understand why X6 was even in the equation. The X0 interface is my LAN and X6 is my Public network and they are segmented, so I don't know why X6 is even showing up in the packet monitor. I'm not for sure if the SonicWALL is the issue in my problem. I'm going to move the endpoint from behind the firewall to see if that fixes the issues, but I've been having strange issues like this lately with my SonicWall and that's why I automatically went to the firewall this time.
I don't know why X6 is even showing up in the packet monitor
We can only guess because you haven't said exactly what you put in the capture filter.
@Arkwright The capture filter is only looking for traffic coming from an IP on my network. I've not filtered out ports or destination. I'm looking for any packets that are dropped. In my case it seems like packets are being dropped intermittently. I'm not for sure if this is a Firewall issue. They can access the site some times and then the connection is dropped at random times.
The reason you see packets on X6 in there is because you've filtered on IP and nothing else. Yes, the firewall "knows" that the IP you've specified should be on X0 but you didn't tell the firewall that you were only interested in X0. So if you put X0 in the interface names box then you won't see these mystery packets that have nothing to do with X0.
@Arkwright, So the references to X6 is not saying that packets are trying to go to or come from X6 to the X0 interface? I'm just curious because the two interfaces do not have trust and I would assume that they wouldn't try to connect or send packets to one another.
Thanks!
@Twizz728 the Aruba Switch is sending out these packets for a specific reason (Aruba knows best), the SNWL catches it on X6 and complains it cannot handle it. IMHO this is nothing to worry about, it probably gets to the SNWL on every port that is connected to that Aruba switch.
Your Packet Monitor configuration is not limited to any Ether Type (e.g. IP) therefore you can see everything that is "polluting" your network.
It might have something to do with this:
--Michael@BWC
>@Arkwright, So the references to X6 is not saying that packets are trying to go to or come from X6 to the X0 interface?
No - unknown ethertype = not IP = the Sonicwall cannot carry it. So it's not in any meaningful sense going to X0.