Packet Monitor - Ingress *(i)
BWC
Cybersecurity Overlord ✭✭✭
Hi there,
at one deployment of a NSA 3600 HA I'am having trouble with one specific VLAN. I'am somewhat certain that the switch guys messed this up, but they are the allmighty untouchable Cisco wizards (which messed up not for the first time, just saying).
I'am receiving packets shown in the Packet Monitor with an Ingress Interface *(i) which results in a:
DROPPED, Drop Code: 21(Packet on invalid vlan), Module Id: 16(fwCore), (Ref.Id: _1755_kprwvJqqm) 2:2)
Is there a way to figure out on which physical interface this was actually received?
--Michael@BWC
Category: Mid Range Firewalls
0
Comments
Hi @BWC,
It looks like the traffic is received by the SonicWall along with a VLAN tag value. This VLAN interface with its ID is not configured on any of the firewall interfaces and hence firewall cannot mark any interface on the dropped packets. The screenshot is insufficient to tell about the interface on the SonicWall that this traffic is received.
Please check the source and destination MAC addresses on the dropped packets, check the ARP table on the SonicWall appliance to relate and confirm the interface that this traffic is received by the firewall.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @Saravanan
well yeah of course this VLAN is not configured on any of the interfaces, that's why I was looking into this for the first place.
But the packet is not falling from the sky, it must be received on one (or more) interfaces and this is what usually the Ingress Interface shows.
Simple question: What means *(i) as Ingress Interface?
If I add the VLAN on the interface I suspect the wrong VLAN I can see packets dropped with:
The main question still stands.
--Michael@BWC
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
So in other words, I cannot figure out on which interface this miraculously generated packet entered the firewall? Hmm, OK.
--Michael@BWC
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
The MAC address cannot be found in the ARP table because my uneducated guess is that the ARP resolution cannot work if the packet gets dropped before that, but what do I know.
--Michael@BWC
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Gonna have to correct you on this, per the SonicWall SonicOS 6.5 documentation page 98/135
"The firewall interface on which the packet arrived is marked with an asterisk (*)"
Subsystem Type Abbreviations
"i = Interface"
@Sam_Smith beat me to it...
this is actually well documented.
My suggestion would be run a packet capture on the interface with no other filtering, review the VLAN tags on the packets, and yell at the Cisco fools.
Wouldn't be my first time yelling at them for getting things wrong.