Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Connection Error / Time recording terminal / VPN

AuerAuer Newbie ✭
edited November 2020 in Entry Level Firewalls

Hi,

we have replace an old Sonicwall TZ105 (Version 5.9x) with an new TZ350 (Version 6.5). Since we have replace the firewall, our time recording terminal lost the connection ever 2 minutes.

We install the new firewall over a backup from the old firewall. We have only ready setup for testing an new firewall without any configuration and setup the vpn new, the same error.

For testing we have already install the old firewall again, then works the terminal perfectly.

No packets will be drop. I only see there are more connection from the server to the terminal. The server software is based on java and open only the port 6001 on the terminal. All connection goes over an vpn. Headquarter firewall is NSA3600 (Version 6.5) and branch firewall is TZ350 (Version 6.5).


Anyone has idea?


Best regards Martin

Category: Entry Level Firewalls
Reply

Best Answer

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Martin,

    I would NOT recommend importing a config to/from different models. While Sonicwall says this is possbile, I have only ever had bad results. I barely trust importing same model configs.

    That being said, I would factory reset the TZ350 and set it up with a BASIC configuration to get it functional. Make sure NO security services are enabled, specifically Intrustion Prevention and Content Filtering. Replace the TZ105 with the TZ350, establish the VPN tunnel, and re-test.

    If things are functional and stable then begin to implement configuration changes to bring the firewall to your specifications. Do not do too many changes at once, you will lose the ability to track a change that could have broken the connection.

    Questions about the 'terminal': does the device has a static IP address or DHCP leased address?

    Questions about the VPN tunnel: did you change anything about the tunnel to get it functional on the TZ350? Try using greater than MD5 and SHA1 encryption/authentication.

    Hope that helps.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Auer,

    Try to Disable the DPI feature in LAN to VPN ACL rule in TZ350.

    For that, Navigate to Firewall --> Access Rule -->choose LAN to VPN ACL's --> click on Configure on the ACL which is created for your NSa3600 --> Go to Advanced --> Enable the "Disable DPI"-->Apply and try.

    Step-1:

    Step-2:


  • Hi @AUER,

    Thank you for visiting SonicWall Community.

    Have you tried to import the config from TZ 105 to the TZ 350? If yes, did you get a chance to verify if the configuration import is supported?

    One clue that I can give you is to tweak the TCP connection timeout in LAN to VPN or vice versa access rules.

    You may need to create an access rule from LAN to VPN and vice versa based on just Service (TCP 6001) and apply this configuration change. Please choose a TCP timeout value possibly a lower one for security reasons.

    Please have this tried out. Hope this helps.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • AuerAuer Newbie ✭
    edited November 2020

    Hi,


    thanks for the replies. Disable DPI don't help. Also to change the UPD timeout, don't helps. I have change the vpn to Phase1 AES-128 / SHA256 / Phase2 AESGMC16-256, don't help. The ipadress of the terminal is static.


    Here the connection monitor. There 4 connections. Normally here only one connection.


    All working connections have an source port over 60000. The bad connections have an source port under 60000? Perhaps here a problem?


  • Hi @AUER,

    Have you tried tweaking the TCP timeout value based on the specific service TCP 6001?

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • AuerAuer Newbie ✭

    Hi,


    i have create access rules. No effect.


  • AuerAuer Newbie ✭

    Here the logfile of the application.


    (5396) 11/17/20 10:27:04.934 - error code: 0

    (4396) 11/17/20 10:27:04.981 - Receiving response 10060

    (204) 11/17/20 10:27:04.997 - Receiving response 10060

    (1896) 11/17/20 10:27:05.28 - Receiving response 10060

    (5396) 11/17/20 10:27:05.44 - RsctTcCommuHandler

    (5396) 11/17/20 10:27:05.44 - Rsct_MB90574_Based::CommHandler

    (5396) 11/17/20 10:27:05.44 - Receive data...

    (5396) 11/17/20 10:27:05.44 - ReadABlockExt (timeout:20000 ms) max 160 bytes...

    (5932) 11/17/20 10:27:05.259 - Receiving response 10060

    (2596) 11/17/20 10:27:05.290 - Receiving response 10060

    (1472) 11/17/20 10:27:05.368 - Receiving response 10060

    (5396) 11/17/20 10:27:05.587 - Receiving response 10060

    (5076) 11/17/20 10:27:05.634 - Receiving response 10060

    (4396) 11/17/20 10:27:05.634 - Receiving response 10060

    (204) 11/17/20 10:27:05.649 - Receiving response 10060

    (1896) 11/17/20 10:27:05.681 - Receiving response 10060

    (5932) 11/17/20 10:27:05.900 - Receiving response 10060

    (2596) 11/17/20 10:27:05.931 - Receiving response 10060

    (1472) 11/17/20 10:27:06.9 - Receiving response 10060

  • AuerAuer Newbie ✭

    Hi


    i get an additional information. The communication starts on IP based and when the connection established then the communication goes on mac address based.

Sign In or Register to comment.