NEW 3700: no WAN traffic on ANY interface
SteveBottoms
Newbie ✭
Hi, all! Working on installing a new NSA 3700 (firmware just upgraded to v7.0.1-5161-R6164), can't get any traffic on any interface (LAN, DMZs, WLAN) to route to WAN. The mgmt console (ping, tracert, MySonicwall validations, etc) work perfectly thru either of the two (2) WAN interfaces. Nothing wrong with either WAN interface (production 2650 works perfectly with same ISP trunks). IPSec routes to other offices (VPN) all connect and can ping fine from within firewall diagnostics pages. Very basic LAN/WAN ANY/ANY rule in place, moved up to priority one; no effect. Created new NAT rule just for testing; no effect. Rules from 2650 replicated to 3700; no effect. Can connect devices thru APs and get DHCP addresses to devices, but no WAN access.
I'm missing something very basic here. Any assistance would help. (Reminder: WAN circuits are not an issue)
Thanks. Steve
Answers
Are the counters incrementing as expected on NAT and access rules?
What is the status of the probes in F&LB?
Thanks for the response. I don't have any probes running on any interfaces, and the usage thingy often shows a LOT of "traffic" but no hits. I don't know, the new interface with the ingress/egress bubble things don't make any sense to me with the values they're showing.
Like I said, the logical access rules and routing are in place, and I've even put in NAT policies just to see if they help but no go. Still trying to find an answer. I can't down my production 2650 to get this one online without a lot of forward planning so advice on routes, NATs, and Access Policies would help. I can't see any variances between the operational 2650 and the new 3700. At this point I'm about to do a conversion/restore from the configuration tool and just fix the mess after validating connectivity.
That would have been my starting point.
Did some more tinkering this morning… X1 out still isn't working, but X2 (if I unplug X1) gets all traffic to WAN perfectly. Load balancing on or off, traffic pushed to X2 works perfectly fine. Can anyone suggest any tools to help me t/s this? Eyeballing routes, NATs and access rules is showing me nothing. Confirming that the WAN trunk (ISP) for X1 is working perfectly fine on 2650.
And yes, the 3700 graphical displays show regular hits on whatever rule I'm examining.
Arkwright, I would have done the conversion route first if it worked. I did the conversion on a different pair of 2650/3700 units and there was a conversion issue that broke the LOG | AUTOMATION pages; it's now completely unusable on the first 3700 converted and Sonicwall tech support has stopped communicating on the issue and closed it with no resolution. I need the logs (amongst other things) so support client ISO requirements and can't risk another firmware issue that Sonicwall can't fix.
Just FYI: I restored a CONVERTED 2650 configuration to this (second) 3700 and it broke the LOGS | AUTOMATION feature, just like the first conversion done on a different 2650→3700. Same error, same place, same feature. But that's not what this ticket is about; just saying I've gone the conversion route despite it having broken previous firewalls. I'll continue testing when I can schedule downtime with our production 2650.
have you thought about backup the config, and flatten the 3700, bring it upto 5161 and build the config from scratch? otherwise you're working backwards
You always have the backup if needed, but sounds like the configuration isnt too extesive, and you can always extract parts of the config manually.
What is the status of the probes in F&LB?
@MarkD, yes I restored it back to factory and setup the interfaces for LAN/WAN per our needs. Moved our WAN trunks (X1, X2), enabled F&LB, and tested. Still no traffic getting off LAN to WAN. Added numerous testing NATs, rules and policies, no go. Default config had zero connectivity between devices on LAN and WAN. Firewall diagnostics can ping and resolve external DNS names; can ping internal IPs. LAN-based workstation can ping internal IPs and resolve internal DNS names, but the default config for this traffic is running off a 5412 switch (routing all non-internet traffic). External ping and tracerts on LAN workstation fail; no traffic getting past firewall. Also converted and restored a 2650 config, ALSO no external (WAN) traffic whatsoever there as well. Something obvious is missing here: all NATs are the same, all Routes are the same, and all Policies are the same as on the 2650; no go. Move cabling back to 2650 and all is right with the world.
@Arkam, no clue what you're asking. Yes, probing is turned on for the F&LB feature, and Statistics show increasing metrics. Management IP route metrics show the expected traffic (high since I'm working off the Mgmt i/f; the default route (0.0.0.0) metrics show no activity, minor levels, and no Hits for last 1.5 hours. If there's something specific I can show you or answer feel free.
Just FYI, I did a factory reset (restore factory config) on this 3700 to test whether in default state the firewall can route LAN traffic to WAN correctly; it can't (contrary to everything I've read from Sonicwall docs and KBs). Default route correct, default NATs and policies and routes in place; no success.
If I build a Portshield port with X0 and run a laptop on it I can get to websites, but DNS resolution does not work (regardless of how i config the DNS settings). Does the 3700 require me to route ALL LAN traffic through a Portshielded port instead of the LAN routed traffic?