Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

10.2.0.3 - MobileConnect Client address via DHCP - ARP timeout?

BWCBWC Cybersecurity Overlord ✭✭✭

Hi,

I came along the problem that the communication between a MobileConnect and a Server suddenly stopped. I tested this with a constant ping and was able to tcpdump the ECHO_REQUEST and ECHO_REPLY on the Server, but it does not reach the Client anymore.

The problem was that the MobileConnect Client IP which got requested through DHCP via the SMA is no longer in the ARP cache of the Firewall. When adding a manual route for the NetExtender DHCP Range to the SMA everything worked again without interruption.

It seems that the SMA isn't doing the ARP publish correctly or at least not honoring any subsequent ARP requests?

Anyone else saw this or is it already addressed?

--Michael@BWC

Category: Secure Mobile Access Appliances
Reply

Comments

  • CFTCFT Newbie ✭

    Mobile Connect is dropping connections for me as well. NetExtender works okay.

    When you said "adding a manual route for the NetExtender DHCP Range to the SMA everything worked again without interruption."

    Are you doing this through policy?

    I'm using an SMA 200 and TZ 400.

    I have two domains, two DC's, DHCP is handed by the DC's.  

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited February 2021

    Hi @CFT

    hmmm this is interessting, what could cause MobileConnect not to work but NetExtender if they are both fired by DHCP assignments, interessting.

    This is what I mean about the route

    TZ (X4) 192.168.55.1
    DHCP-Range 192.168.55.128 - 192.168.55.254 (provided by TZ, could be DC as well)
    
    SMA (X0) 192.168.55.16
    

    On the TZ I created a network object NetExtenderRange 192.168.55.128-.254 which I explicitely route through a Network route.

    Source Any - Destination NetExtenderRange - Interface X4 - Gateway SMA IP

    With that route I don't care about ARP resolution timeouts anymore.

    But this can only work if your DHCP scope is exclusively for NetExtender/MobileConnect clients.

    Hope this helps.

    --Michael@BWC

  • CFTCFT Newbie ✭

    Thanks

     I’m managing the VPN Client IP addresses using a static pool on the SMA 200 via Users/Local Groups/Policy.   

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @CFT

    this shouldn't make difference if your Client Address Range is handled on the SMA itself, the Firewall (Gateway) should know where to find the address, just check the ARP table on the Default Gateway Device your SMA is pointing to, maybe it's a similar issue.

    --Michael@BWC

Sign In or Register to comment.