MPan Newbie ✭
- Last Active
WeWork is the culprit. WeWork had an ESP filter that caused the instability of the IPSec tunnel. Thanks to @MASTERROSHI, @LARRY, and @TKWITS for pointing me to the right direction.
@MASTERROSHI, Here is the response from WeWork - "Our core layer device does utilize ESP ALG for our own IPsec tunnels back to our datacenters. This should not have any impact on your IPsec tunnel as the security policy applied to public IPs we allocate to members have 0 restrictions with no ALG applied, see below:" Source…
@MASTERROSHI, There is no issue with the Gen6 site. Tunnel interface works fine on the Gen6 with another Gen6(1). I observe the same issue with Gen7 and Gen6(1).
@MASTERROSHI, Thank you for your advice. I took pcap on ESP/ICMP with "Monitor intermediate IPsec traffic" enabled on both Gen6 and Gen7 SNWL; first I took pcap when the pinging is working and then again when pinging is not working. When pinging is working, there is no ICMP traffic between the two external interfaces; this…
@TKWITS, WeWork provides a drop with public static IP; I have no visibility to their network. I have requested clarification, but WeWork previously stated that WeWork does not block any port. I understand it is unlikely that either Verizon or WeWork is blocking ESP/IKE/IPSec, especially when tunnel interface is up and…
@TKWITS, G6 is on a Verizon FIOS circuit. G7 is located in a WeWork building; it is using Verizon FIOS also.
10/1, I talked to a SonicWALL's "senior" support tech this morning. After a Bomgar session that was a repeat of the previous sessions, the "senior" tech concluded that since the ICMP packet is consumed by the virtual private network tunnel but the packet does not show up on the packet capture of the destination device,…
@ENABEV, Thank you for following up. I just receive a reply from support after you reached out.
@TKWITS, each appliance is now on the latest firmware. TZ270 is on 7.0.1-5023-R1826 TZ350 is on 220.127.116.11-89n Tried earlier firmware and it did not work either. Tried Site-To-Site tunnel previously, same issue. Furthermore, out of three subnets behind Gen 6, only 1 random subnet may be ping-able at different times. Tried…
@TKWITS, the VPN configure was rebuilt by SonicWALL support. I believe the Gen7 I have is defective, however I cannot get the support to replace the Gen7. After the support hit the wall, communication ceases. There is no NAT since all the subnets are unique. Access rules check out; it's any-any for LAN to VPN and vise…
@ENABEV, Day is almost over, and there is still no response from SonicWALL support on this important issue. Do you have any recommendation on how to proceed? If I call the support line again, I will just go through the same address objects, access rules, NAT rules, route policies, and packet capture again with a different…
I sent another status update request this morning, 9/30. The Gen6 device is a TZ350. The Gen7 device is a TZ270.
On Tuesday, 9/28, SonicWALL support could not locate any available senior tech, so we scheduled a support appointment later in the day. The afternoon appointment was a no show. I tried to request update this morning and there has been no reply at end-of-day today. My supervisor has inquired about RMA the Gen7 device, RMA…
@ENABEV, There was no call back on Friday. I called a 3rd time on Friday, and after a two hour Bomgar session I was advised to reset my Gen7 device to factory and reconfigure the device; that did not fix the problem. I spend around three hours today so far working with SonicWALL support, there is still no solution. Here is…
@Larry, I do plan on calling back. However, I have meetings and other responsibilities that do not allow me to stay on hold indefinitely just to be cut off again and again.
Hey! You will be signed out in 60 seconds due to inactivity. Click here to continue using the site.