NetExtender not connecting all of a sudden??

August 19, 2016, 2:19 pm

≫ Next: ping timeouts issue on vpn between two nsa 3600s, why??

On a previously working machine, NetExtender won't connect. We can log in, enter one time password, and appears to be connecting, then pops up with "Releasing security functions..." then "Remote Access Service error! (Rebooting might resolve the problem."

Rebooting does not resolve problem. Other machines are connecting OK. Reinstalled NetExtender twice. Internet connectivity is OK. Disabled AV and Windows Firewall....no resolution. I don't see any Windows updates or any other recently installed software.

Windows 10, 64-bit laptop. SSL-VPN 4600 v8.1.0.3-17sv

Any suggestions would be greatly appreciated.

↧

ping timeouts issue on vpn between two nsa 3600s, why??

August 22, 2016, 11:21 am

≫ Next: SonicWall Global VPN Client causes High CPU usage of tapisrv service on Windows 10

≪ Previous: NetExtender not connecting all of a sudden??

We're having people occasionally have their remote desktop host sessions get dropped.

They're on a VPN between two Sonicwall NSA 3600s, fairly similar configurations.

I noticed when pinging different results with different ping timeout values.

With a ping timeout of 500 ms or 750 ms, failed pings occur frequently.

With a ping timeout of 1000 ms, pings don't fail.

What kinds of things should I look at to ascertain the cause(s) or remedy(ies)??

Ping times are usually in the high 30's, ping TTL is 50.

Is this a latency issue?? TCP timeout issue??

What should be reviewed to see why the dropped RDS host connections??

People on other VPNs to the same SonicWalls don't experience these dropped connections, they only occur within a specific site-to-site VPN...what should be reviewed for possible adjustments??

Thank you, Tom

↧

SonicWall Global VPN Client causes High CPU usage of tapisrv service on Windows 10

August 22, 2016, 2:13 pm

≫ Next: App rules and excluding on-firewall traffic between zones

≪ Previous: ping timeouts issue on vpn between two nsa 3600s, why??

When I use the SonicWall Global VPN Client on Windows 10, my CPU usage for the tapisrv process increases, even after I exit the VPN client. The only solution is to reboot.

How can this get fixed?

See attached picture of Resource Monitor.

SonicWall Global VPN Client 4.9.14.0427
Windows 10 Version 1607 , OS Build 14393.51

How to replicate. Boot into Windows 10, Start the client and connect to VPN server. Disable the connection and exit the VPN client. Then see that tapisrv is using CPU. See attached picture of Resource Monitor.

↧

App rules and excluding on-firewall traffic between zones

August 23, 2016, 1:00 am

≫ Next: TZ400 Packet Monitor Mess

≪ Previous: SonicWall Global VPN Client causes High CPU usage of tapisrv service on Windows 10

Hi guys, I am hoping someone could assist me.

I have multiple zones set up, eg. dmz, students, faculty etc, I have a pretty strict App Rule that is blocking VPN, Remote, Proxy etc access signatures. We do however need access to some of those apps intra-zone, eg. VNC between student and faculty zones. How do I modify the App Rule to only prevent internet bound traffic and not local traffic? I would actually prefer not having any on-firewall intra-zone application filtering as it interferes with things like WDS etc. I have tried using "wan subnets" as the destination but it then matches nothing.

Thanks!

NSA 2600, SonicOS 6.2.5.1-26n

↧

TZ400 Packet Monitor Mess

August 25, 2016, 10:59 am

≫ Next: NSA 2400 - Web access request dropped

≪ Previous: App rules and excluding on-firewall traffic between zones

I have a few TZ400 series sonicwalls. I'm trying to look for some traffic in the packet monitor. I set the filter up for Source IP to be the computer in question, but when I start capture, I end up with HUNDREDS of packets with no source or destination IP.

I would think creating a filter on the IP should eliminate anything that does not have that IP address but it doesn't seem to? This makes packet hunting a needle in a haystack! At 50 items per page, I end up with 20 pages and maybe 10 total records actually meet my filter criteria.

Am I doing something wrong? Any help would be extremely appreciated!

Thansks!

↧

NSA 2400 - Web access request dropped

August 26, 2016, 10:44 am

≫ Next: Configuring SonicWall for use with Google Fiber without having to use the Google Fiber Network Box?

≪ Previous: TZ400 Packet Monitor Mess

I have a web server hosting an api sitting behind a NSA 2400. I followed these instructions (support.software.dell.com/kb/sw7484) to open up the web server to the web. Internally, the web service works perfectly. From outside our network, we occasionally receive 504 errors at random. After tracing with wire shark I found failed requests are not making it to the web server. Sonic wall is logging a 'Web Access Request Dropped" error. I'm not familiar with sonic wall logs. How can I resolve this problem given the log detail below?

↧

Configuring SonicWall for use with Google Fiber without having to use the Google Fiber Network Box?

August 27, 2016, 3:53 pm

≫ Next: DPI-SSL: Is there a reference of suffixes that one needs to add to the CNE list specifically for Outlook or other major packages (such as Microsoft Office)?

≪ Previous: NSA 2400 - Web access request dropped

I am moving to a city with Google Fiber & I would like to be able to connect my SonicWall directly into their Google Fiber Jack and not have to double NAT my home network behind their router/Google Fiber Network Box.

After doing quite a bit of research I have found it is possible to use your own device, though you have to change some settings to get optimized performance. Essentially according to the tutorials I have found on setting up other Firewalls/Routers I will have to tag the traffic out the WAN with a 802.1q vlan id of 2. I need to know how to do this with my firewall.

Examples of configuring other devices for this can be found here:
www.itnutt.com/.../

& here:
www.stevejenkins.com/.../

After searching around the knowledge base and SonicWall forums I am not finding useful information for this particular setup. Any help will be appreciated.

↧

DPI-SSL: Is there a reference of suffixes that one needs to add to the CNE list specifically for Outlook or other major packages (such as Microsoft Office)?

September 2, 2016, 7:00 am

≫ Next: IPv6 on 6.2

≪ Previous: Configuring SonicWall for use with Google Fiber without having to use the Google Fiber Network Box?

We have Office 365 as a service, no Exchange server but use Office 2013 Pro and therefore Outlook 2013 on our computers. I tried to enable DPI-SSL – Client SSL on our NSA 4500 yesterday but Outlook started displaying pop-ups to our users who in-turn inundated me with phone calls and emails, so I disabled it. For example, two pop-ups were for autodiscover-s.outlook.com and pod51045.outlook.com.

I know we are talking about site certificates but email is a big security concern for many organizations so I am being extra cautious about it. I don’t want to add outlook.com to Common Name Exclusions (CNE) because of everything that could come in via email, we definitely want it all checked. If I did add outlook.com to the CNE, would that cause all emails to be bypassed for DPI-SSL because they are coming through Outlook? How many certificates for Outlook are there? Should I have users select View Certificate – Install for anyand all Security Alert ending in outlook.com? We also have users that only have access via web mail outside of our network – will they be affected and, if so, in what way? What would be the best way to handle all of this? I have already used Group Policy in Active Directory to distribute the certificate to all our computers for IE. All of our mobile device users also received the certificate via email so they can install it on their phone, tablet, etc. I added URLs to the CNE list prior to enabling DPI-SSL but I understand we’ll encounter others as users access various sites. I can add the two URLs that popped up to the list but more from Outlook may keep coming up. Is there a reference of URLs (suffixes) that one needs to add to the CNE list specifically for Outlook or other major packages (such as Microsoft Office)?

SonicWall NSA 4500; SonicOS Enhanced 5.9.1.6-5o

Majority of users on our network are Windows 7 Pro SP1 with automatic updates; MS Office Professional Plus 2013; web mail - Office 365 as a service

↧

IPv6 on 6.2

September 2, 2016, 8:55 am

≫ Next: RDP To Servers on Site to Site VPN networks

≪ Previous: DPI-SSL: Is there a reference of suffixes that one needs to add to the CNE list specifically for Outlook or other major packages (such as Microsoft Office)?

Sorry, ignore this.

↧

RDP To Servers on Site to Site VPN networks

September 5, 2016, 11:57 am

≫ Next: Can't connect to PPPoE using Sonicwall TZ170 SonicOS 3.4.1.0 Enhanced or 3.1.1.6 P9s Standard

≪ Previous: IPv6 on 6.2

Hi All,

I am attempting to connect to a sonicwall via GVC which works great. I can RDP to a server on that network. The problem is that I have 3 networks connected via site to site vpn and I cannot rdp to servers on the other two networks unless I do it from the original RDP connection. In other words, I can get across the site to site vpn as long as I am doing it from a server located on one of the networks, but not from my laptop connected via GVC.

I am thinking this is some sort of routing issue but I do not know where to start. Since I can access servers across the site to site VPN from the local network, I would think that my laptop, which is just a node off the local network, should also be able to connect. Possibly it is a Global VPN policy issue. At any rate, any help is much appreciated.

Thanks

↧

Can't connect to PPPoE using Sonicwall TZ170 SonicOS 3.4.1.0 Enhanced or 3.1.1.6 P9s Standard

September 5, 2016, 12:16 pm

≫ Next: this issue was never resolve - Sonicwall is a major fail

≪ Previous: RDP To Servers on Site to Site VPN networks

Dear all,

I just purchase an old Sonicwall TZ170 to have a better control over my home internet but our ISP use only PPPoE connection.

I reset the device to factory default, I upgrade to the latest firmware and configure the WAN using the Wizard. I add the user and password and I try to connect but with no results.

If I plug the WAN cable into the exiting router everything work perfect. Also, I call the ISP and I describe him the problem and he told me that they see the device in the network, but it's unable to receive the IP.

I can do anything? I try with the default MTU1500 and also with MTU 1492 but with no results.

I need an advice if I can use this Sonicwall with PPPoE connection.

Thank you.

Nick

↧

this issue was never resolve - Sonicwall is a major fail

September 6, 2016, 11:21 am

≫ Next: New Unifi AP-AC-LR and AP-AC-Pro not working with Sonicwall Soho

≪ Previous: Can't connect to PPPoE using Sonicwall TZ170 SonicOS 3.4.1.0 Enhanced or 3.1.1.6 P9s Standard

I just called in tech support as I had hoped that after all this time they would have figured out what changes to the firmware made VPNs to fail.

But instead I get the dangerous advice to rely on an old firmware that is nearly 1.5 years old. When asking support what has changed, they tell me that the way they work is to do the upgrade first and then trying to fix everything that might have broken. Wow. Does anyone in 2016 still operate technology infrastructure like that?

Unbelievable.

↧

New Unifi AP-AC-LR and AP-AC-Pro not working with Sonicwall Soho

September 6, 2016, 6:00 pm

≫ Next: Email attachment file type blocking not working.

≪ Previous: this issue was never resolve - Sonicwall is a major fail

We have been installing Unifi AP's running off a Dell Sonicwall port at multiple installations for over 6 years with no problems. We are now upgrading both the Sonicwalls for improved security purposes and the Unifi units to add increased range and 5ghz.

The Sonicwall's are Dell Sohos.

The Unifi units are AP-AC-LR and AP-AC-Pro (we've also tested with the older Unifi units which are 2.4 ghz only with the same results.) Running off the X4 port.

The old Unifi AP's work OK with the old Sonicwalls.
The new Unifi AP's work OK with the old Sonicwalls.
The old Unifi AP's work OK with the new Sonicwalls sometimes.
The new Unifi AP's DO NOT work with the new Sonicwalls.

Our wifi monitor shows an initial connection and available wifi, that lasts for maybe a minute or so, then the wifi goes off the air. Resetting the Unifi POE does result in the Unifi appearing on the air again for about for about a minute or so.

Both the Sonicwalls and the Unifi AP's are running the latest firmware.

Any suggestions at what to look at would be appreciated.

Thanks

↧

Email attachment file type blocking not working.

September 6, 2016, 6:30 pm

≫ Next: SRA1200 admin account using otp locked out

≪ Previous: New Unifi AP-AC-LR and AP-AC-Pro not working with Sonicwall Soho

Have been trying to set up blocking email attachments with a .docm filetype. Followed these old instructions at support.software.dell.com/kb/sw8351 Tested with a file with a .docm file type attached to the email and email still arrives with the .docm file attached and the inside is still intact.

We are testing this using a TZ 105 with the latest firmware.

Any ideas would be appreciated, thanks.

↧

SRA1200 admin account using otp locked out

September 8, 2016, 4:01 am

≫ Next: Site-to-site VPN - active / standby - HA - remote location

≪ Previous: Email attachment file type blocking not working.

My SRA1200 uses an admin account with a one time password set. We have moved email services, and I can no longer login as admin on that appliance, but cvan login as a user which does not use OTP. Any ideas how can I recover the ability to log on as admin ?

Thanks

Tony

↧

Site-to-site VPN - active / standby - HA - remote location

September 14, 2016, 3:15 am

≫ Next: Enforced client anti-virus options for Windows 10?

≪ Previous: SRA1200 admin account using otp locked out

Hi,

Below to remote Data Centre : DCA and DCB. I would like the SonicWall at DCA to be teh Primary unit and teh one at DCB to be the secondary Unit in case of Failure. I am thinking using site to site vpn in order to get the HA working ? Ha will use the interface x5. Now i am wondering if that something we can do ? most of the active/standby design have the 2 sonicwall at the same location so directly connected, which is slightly different of mine..

Thanks in advance

↧

Enforced client anti-virus options for Windows 10?

September 15, 2016, 7:54 am

≫ Next: Need help in configuring HyperV VM to have their own VLAN ID to work with cisco SF300 and Sonic wall TZ205

≪ Previous: Site-to-site VPN - active / standby - HA - remote location

One of the reasons we have not yet upgraded to Windows 10 is that, as I understand it, it is not supported by the McAfee enforced client anti-virus, and there are no plans to support it. Instead they are apparently coming out with a new product some time in 4Q (any time now, actually). Is that still correct?

I also recently noticed that there is a Kaspersky enforced client anti-virus product available now that does apparently support Windows 10. However, that requires a separate license. Is it possible to have a McAfee license switched to a Kaspersky license?

If anyone has answers to these questions, they would be appreciated. Thanks!

↧

Need help in configuring HyperV VM to have their own VLAN ID to work with cisco SF300 and Sonic wall TZ205

September 15, 2016, 4:45 pm

≫ Next: Inter-Zone communication of different trust levels

≪ Previous: Enforced client anti-virus options for Windows 10?

Hello,

I am trying to setup my VM to operate on their own VLAN ID so that they are isolated from each other in terms of networking.

I have a hyperV 2012 server, cisco sf300-24 (layer 2 mode) and a sonic wall. I want to have each VM on its on separate subnet, isolated from each other using VLAN IDs. I believe I am stuck at setting up the switch and sonic wall to accept this traffic from the server.

I have already assigned a VLAN ID to each VM on the server but I am not sure on my setup on the switch. I believe, I have to setup the port that is connected to the server as a Trunk so that it can handle the multiple IDs and then another port that is connecting to the Sonic wall as a Trunk as well.

I am also using the GUI to do this on the switch.

Is there a guide that I can follow or someone point me away on a path?

↧

Inter-Zone communication of different trust levels

September 16, 2016, 12:24 pm

≫ Next: Static ARP on LAN interface

≪ Previous: Need help in configuring HyperV VM to have their own VLAN ID to work with cisco SF300 and Sonic wall TZ205

I have a NSA240 running 5.9.1.1 OS. I have a LAN zone in X:0 and a Public zone in X:7 (This version only lets me configure Trusted, Public, Wireless, and SSLVPN zone types in the menu). I have created the Public zone to test some high security settings, and I therefore wanted to create all inter-zone rules manually instead of automatically, therefore the Public zone is NOT trusted, and no rules are configured automatically.

As such, I know that by default, the Public zone is denied access to any LAN zones by default. However, I created firewall rules allowing traffic (testing with any-any-any= allowed), and found that I cannot communicate between the two.

Since this is not utilizing NAT, I need not configure policies. I just want to allow simple end-to-end communication between the zones with specific devices (but first, I want to test with the least specific rules to make sure it works before tightening security). As such, I cannot get communication working between the two.

Note: I am NOT going to enable Trust on the new custom zone, as I do not want automatic trust level between my LAN zones and this. This is supposed to be a higher security zone and only specific communications will be allowed. Aside from firewall rules, what else do I need here?

↧

Static ARP on LAN interface

September 19, 2016, 12:12 am

≫ Next: Looking for Tips and Traps on implementing global bandwidth management

≪ Previous: Inter-Zone communication of different trust levels

Hello,

our company has changed firewall hardware and get a NSA 2600 (6.2.6.0).

We still do a implementation for the new one and sonicwall still on test environment.

We have 5 store and 3 different wi-fi to identify the zone.

The old configuration has a 3 static arp gateway on LAN interface , each for one wi-fi gateway.

In the sonicwall we add a static ARP each for one wi-fi gateway( 192.168.200.0/192.168.201.0/192.168.202.0)

Our LAN class is 192.168.0.0 .

We created a network objetc as lan zone for each wi-fi and add to routing (to and form each entwork object).

I also add a access roule in LAN-LAN from lan subnet to each wi-fi network and vice versa.

We have about 12-15 access point on each wi-fi and the device connect to and redirect RDP session to LAN server.

The old firewall works great with this configuration.

The problem is that:

the laptop / tablet or any device should connect to one of the access point get a LAN ip from DHCP internal server.

I try to start RDp sessione but has a long time and it was very unstable.

I try to ping the remote server and ping time goes from 800/1000ms to 2000/2500ms.

That is impossible to work on RDP enviroment.

I try to set up new access roule but without success.

I call support but the answer is that "if the problem still in test enviroment , support can't supported that".
Some one could help us ?

Thanks

Matteo

↧