Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Permitting ICMP on a virtual interface across an IPSec tunnel on the remote network

TytecTytec Newbie ✭
in Mid Range Firewalls

Hey everyone,

I have an IPSec tunnel established between an NSa 4700 and a TZ670 security appliance. The TZ670 was recently upgraded from a Gen 6 NSA appliance.

I'm encountering an issue where I can't ping a virtual interface on the LAN zone of the remote TZ670. All other functions and features, including management, are working as expected.

I've created a rule to permit ICMP traffic from SRC Zone: VPN to DST Zone: V:199 on all interface IPs, but the hit counter never increases. Below is the drop code ingress on X1*(i):

ICMP Packet Header  ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 19779  Value:[1]  DROPPED, Drop Code: 742(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2793_qpmjdzDifdl) 2:2

Has anyone else run into this?

Thanks for your time!

Category: Mid Range Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited January 23 Answer ✓

    Did you enable 'enable management traffic' on the rule? or the same in the VPN tunnel config?

Answers

  • TytecTytec Newbie ✭

    I was almost 100% certain I did but apparently I clicked on the "Allow Fragmented Packets" check box. That was it! Thanks a million!

    image.png

Sign In or Register to comment.