Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Packet Monitor - Ingress *(i)

BWCBWC Cybersecurity Overlord ✭✭✭

Hi there,

at one deployment of a NSA 3600 HA I'am having trouble with one specific VLAN. I'am somewhat certain that the switch guys messed this up, but they are the allmighty untouchable Cisco wizards (which messed up not for the first time, just saying).

I'am receiving packets shown in the Packet Monitor with an Ingress Interface *(i) which results in a:

DROPPED, Drop Code: 21(Packet on invalid vlan), Module Id: 16(fwCore), (Ref.Id: _1755_kprwvJqqm) 2:2)

Is there a way to figure out on which physical interface this was actually received?

--Michael@BWC

Category: Mid Range Firewalls
Reply

Comments

  • Hi @BWC,

    It looks like the traffic is received by the SonicWall along with a VLAN tag value. This VLAN interface with its ID is not configured on any of the firewall interfaces and hence firewall cannot mark any interface on the dropped packets. The screenshot is insufficient to tell about the interface on the SonicWall that this traffic is received.

    Please check the source and destination MAC addresses on the dropped packets, check the ARP table on the SonicWall appliance to relate and confirm the interface that this traffic is received by the firewall.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited November 2020

    Hi @Saravanan

    well yeah of course this VLAN is not configured on any of the interfaces, that's why I was looking into this for the first place.

    But the packet is not falling from the sky, it must be received on one (or more) interfaces and this is what usually the Ingress Interface shows.

    Simple question: What means *(i) as Ingress Interface?

    If I add the VLAN on the interface I suspect the wrong VLAN I can see packets dropped with:

    DROPPED, Drop Code: 208(Null Source Zone.), Module Id: 25(network), (Ref.Id: _1924_uyHtRcemgvKpkv) 2:2)
    

    The main question still stands.

    --Michael@BWC

  • @BWC - *(i) has no meaning and simply means invalid.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BWCBWC Cybersecurity Overlord ✭✭✭

    So in other words, I cannot figure out on which interface this miraculously generated packet entered the firewall? Hmm, OK.

    --Michael@BWC

  • @BWC - We cannot find out the interface directly. Like I said on my previous comment, please check the MAC address on the dropped packet and compare those with the ARP table on the firewall. This is kind of workaround.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • BWCBWC Cybersecurity Overlord ✭✭✭

    The MAC address cannot be found in the ARP table because my uneducated guess is that the ARP resolution cannot work if the packet gets dropped before that, but what do I know.

    --Michael@BWC

  • @BWC - Are you not seeing Source MAC on the dropped packet? If any difficulties, I would recommend you to approach our support team and seek further help.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Gonna have to correct you on this, per the SonicWall SonicOS 6.5 documentation page 98/135

    "The firewall interface on which the packet arrived is marked with an asterisk (*)"

    Subsystem Type Abbreviations

    "i = Interface"

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    @Sam_Smith beat me to it...

    this is actually well documented.

    My suggestion would be run a packet capture on the interface with no other filtering, review the VLAN tags on the packets, and yell at the Cisco fools.

    Wouldn't be my first time yelling at them for getting things wrong.

Sign In or Register to comment.