NEW 3700: no WAN traffic on ANY interface
SteveBottoms
Newbie ✭
Hi, all! Working on installing a new NSA 3700 (firmware just upgraded to v7.0.1-5161-R6164), can't get any traffic on any interface (LAN, DMZs, WLAN) to route to WAN. The mgmt console (ping, tracert, MySonicwall validations, etc) work perfectly thru either of the two (2) WAN interfaces. Nothing wrong with either WAN interface (production 2650 works perfectly with same ISP trunks). IPSec routes to other offices (VPN) all connect and can ping fine from within firewall diagnostics pages. Very basic LAN/WAN ANY/ANY rule in place, moved up to priority one; no effect. Created new NAT rule just for testing; no effect. Rules from 2650 replicated to 3700; no effect. Can connect devices thru APs and get DHCP addresses to devices, but no WAN access.
I'm missing something very basic here. Any assistance would help. (Reminder: WAN circuits are not an issue)
Thanks. Steve
Answers
Are the counters incrementing as expected on NAT and access rules?
What is the status of the probes in F&LB?
Thanks for the response. I don't have any probes running on any interfaces, and the usage thingy often shows a LOT of "traffic" but no hits. I don't know, the new interface with the ingress/egress bubble things don't make any sense to me with the values they're showing.
Like I said, the logical access rules and routing are in place, and I've even put in NAT policies just to see if they help but no go. Still trying to find an answer. I can't down my production 2650 to get this one online without a lot of forward planning so advice on routes, NATs, and Access Policies would help. I can't see any variances between the operational 2650 and the new 3700. At this point I'm about to do a conversion/restore from the configuration tool and just fix the mess after validating connectivity.
That would have been my starting point.
Did some more tinkering this morning… X1 out still isn't working, but X2 (if I unplug X1) gets all traffic to WAN perfectly. Load balancing on or off, traffic pushed to X2 works perfectly fine. Can anyone suggest any tools to help me t/s this? Eyeballing routes, NATs and access rules is showing me nothing. Confirming that the WAN trunk (ISP) for X1 is working perfectly fine on 2650.
And yes, the 3700 graphical displays show regular hits on whatever rule I'm examining.
Arkwright, I would have done the conversion route first if it worked. I did the conversion on a different pair of 2650/3700 units and there was a conversion issue that broke the LOG | AUTOMATION pages; it's now completely unusable on the first 3700 converted and Sonicwall tech support has stopped communicating on the issue and closed it with no resolution. I need the logs (amongst other things) so support client ISO requirements and can't risk another firmware issue that Sonicwall can't fix.
Just FYI: I restored a CONVERTED 2650 configuration to this (second) 3700 and it broke the LOGS | AUTOMATION feature, just like the first conversion done on a different 2650→3700. Same error, same place, same feature. But that's not what this ticket is about; just saying I've gone the conversion route despite it having broken previous firewalls. I'll continue testing when I can schedule downtime with our production 2650.
have you thought about backup the config, and flatten the 3700, bring it upto 5161 and build the config from scratch? otherwise you're working backwards
You always have the backup if needed, but sounds like the configuration isnt too extesive, and you can always extract parts of the config manually.
What is the status of the probes in F&LB?