maximum S2S Policies - Datasheet vs. Real-Life - what is it?
BWC
Cybersecurity Overlord ✭✭✭
Hi,
while planning some new deployments I was looking into the max number of Site-2-Site Tunnels the Gen7 can run and experienced a discrepancy between the values mentioned in the Datasheet vs. the numbers I can gather from a running appliance.
That is what I saw from the limited range of Appliances I have in the field right now.
Model Firmware Datasheet Real 270 R5023 50 200 570 R5018 200 250 670 R5030 250 250
So what is to expect? Should I go with the Datasheet values or is the TZ 270 for example powerful enough for running 4 times the Datahsheet value?
--Michael@BWC
Category: Entry Level Firewalls
0
Answers
Where are you getting your 'real' numbers from? Actual tunnels built, or what the GUI reports?
The values I mentioned labeled as "real" are from the Statistics Pop-Up on the VPN Policies page.
Maybe it's similar glitch like the incorrect amount of DPI-SSL Connections in earlier firmware releases.
But that's all speculation, I don't know why noone from SNWL chimes in.
--Michael@BWC
Even in TSR, it still give similar value for MAX SA on TZ270. So maybe the backend design is 200 but for budget and model, they "officially" support 50. We all know, documentation is the weakness of SonicWALL.
@NAT sadly, you're right. It would be an easy thing to answer for SNWL, but the swarm isn't in the mood or just don't care.
--Michael@BWC
I have to bring this up again, while checking the logs after updating to 7.0.1-5050 my TZ showed this message in the System Log:
This is a factory reset (empty) TZ 670 appliance, no VPNs defined so far. Does this mean it would be currently limited to 50 Policies, which is clearly a bug and should be addressed? VPN Statistics still show 250 Maximum Policies allowed. What is it then?
Is there a way to figure out whats going on without creating tons of Policies?
--Michael@BWC
Maybe it worth mentioning to @EnaBev
Hello!
Thanks for flagging this - I'll have someone from support take a look and get back to you.
Let me know if you have any questions in the meantime.
@BWC Apologies for the delay here. Regarding your initial question on the TZ270: this device supports a total of 50 Site to Site VPN Tunnels and 200 Phase 1 Security Associations.
You can create up to 50 tunnels however each tunnel may contain multiple Security Associations depending on the amount of networks added to the VPN Tunnels.
Regarding the second issue you have with the TZ670, I would recommend to reach out to our Technical Support (https://www.sonicwall.com/support/contact-support/) as that seems to be a backend mismatch.
@fmadia thanks for checking into this. But the information does not add up.
For example, a customer has 20 Policies defined on a TZ 470 (7.0.1-5050), each Policy contains two local and one remote network, which result in 40 SAs. According to the Screenshot the Statistics implies that 20 out of 200 Policies are defined. According to the Datasheet the TZ has the ability of 150 S2S Tunnels and (or is it or?) 200 IPSec VPN Clients.
It's either Policies or SAs, but it should be clearly communicated. This would mean in a worst-case scencario four VPN Policies with 5 local and 10 remote networks each could exhaust the capacity? This wasn't the case in Gen6 AFAIR, because this customer had a TZ 400 before and never hit 20 S2S Tunnel limit.
For the sake of accuracy I highly recommend to show the real values, because the numbers mentioned in the Datasheet could be misleading.
--MIchael@BWC
@BWC I agree with you that the Statistics shown there might be misleading and I believe the Support Team should investigate further on this too so I'd highly recommend you to reach out on the same.
As for the limitation with the Security Associations, these can be easily avoided by using Tunnel Interface VPNs and using static routes - that will be a workaround to the Security Associations limitation.
@fmadia if we are talking SNWL-to-SNWL or any other remote side which support Tunnel Interfaces we're golden, but for the others we're stuck.
I try to find the patience to handle this with support.
--Michael@BWC
Michael @BWC - did you ever log this problem as a support case?
I just rebooted my TZ270W to placate a CSR on another case and this was the first message in the new system log.
VPN policy count received exceeds the limit; Min policies required: 200, MySonicWALL returned: 10
So if there is an error, and SW support knows, at least I can hope for a fix in a future firmware update. Otherwise, I'll do the needful.
Thanks!
Larry
@Larry no I did not found the time for another time consuming rodeo. IMHO this should be answered by product management and not via a time consuming fishing expedition with probably senseless remote sessions, TSR requests etc.
--Michael@BWC
Case 43920582 opened on March 22, 2022.
Last update April 14, 2022:
The issue is reported to backend team
The engineering team are working on it
Whatever...
On August 9, I updated my TZ270W to SonicOS 7.0.1-5080.
The strange message is still the first one in the log:
There's no status change to my open case...
Today, August 23, I got the following email from Support about my case:
I had called you to inform that the fix has been pushed to the firewall TZ270W, serial number ([redacted]).
Please could you check and confirm and also please let us know if there are any other serial numbers to be fixed.
To find out if the message no longer appeared, I rebooted the firewall. It no longer appears. I am impressed.
Now, of course, I'm left wondering: How did they "push a fix" to my firewall? What is the normal fix process? Shouldn't they check their telemetry to find out what else is affected rather than asking me? And did this fix merely eliminate the message - or did it fix the problem?
Boundless continues....
Edited to say: apparently the fix is not on my device, but was made on the back-end. Makes all the difference in the world!
they will get somewhere some day! slowly but surely