Hi Guys,

Got a client with a TZ300 and we are attempting to transfer to SSL-VPN for use with NetExtender.

The NetExtender can connect, can ping by IP, but cannot locate hostnames.

This is a big issue at the moment, as they only use the VPN to access share on the network, and they are mapped by name.

Followed this guide to set it up:

Current Sonicwall Stats:

Model: TZ 300
Firmware Version: SonicOS Enhanced 6.2.3.1-19n
Safemode Version: SafeMode 6.2.3.7
ROM Version: SonicROM 5.6.0.14

If i have two nsa 5600 will configured for HA to aggregate WAN link to the ISP i will need Switch what is the recommend  switch for this and must support fiber because i have fiber connection from ISP.

I deleted a sub interface which I created for a specific VLAN but now I want it back again.

When I go to create it says:

Error: Address Object with name "X0:V111 IP" already exists

I need VLAN 111 for a specific reason.

When I go to address objects I can see X0:V111 IP but it will not let me select it to delete.

I can't delete the zone it's in as it says Error: Object is in use by an Address Object

Hi,

I've questions regarding VPN cascading between 3 NSA SonicWALL firewalls. Let me explain my situation and what I want to achieve.

As the above scheme illustrates, I have 3 branches connected to Internet whose entry point to the LAN is the SW NSA FW. There's a VPN tunnel between each site: Site_A-Site_ B, Site_A-Site_ C, Site_B-Site_ C. The Internet traffic of Site A is redirected to Site B. So Site A goes through Site B to access to LAN B and Internet. Site A goes through Site C to access LAN C.

My question is: is it possible to remove Site_A-Site_C VPN tunnel and instead, go through Site B to access LAN C? If yes, how can you achieve this configuration?

What troubles me are the options of the VPN tunnel that allow you either to redirect all the Internet traffic or a specific LAN destination through Address Objects (screenshots from Site A):

Without the Internet traffic redirection, I was thinking about creating an Address Group including the 2 Address Objects for LAN B and LAN C. But I'd like to keep the Internet traffic redirection through Site B.

What do you think?

Thanks in advance for your help.

I have a TZ500 with all traffic going through the VPN tunnel that I need to set the firewall up so that if the tunnel drops due to whatever reason that internet access is still allowed within a reasonable amount of time.  We currently have all traffic routed through the tunnel but in case of a failure on our side we want straight up internet as a backup.

The we are making the switch from MPLS to VPN and would really like to implement that kind of routing but I'm unsure how to go about it .  Ideally if the tunnel is down for 30 seconds internet access continues for those conencted, just not thorugh the tunnel. 

Any ideas on where to start?

we have three sonicwall tz210 Site A is where a server is hosted, site b and C connect to site A via VPN through a static ip address. We would like to add a second ISP at main site (at least) for a failover. Second isp will obviously have completely different IP' address' and obviously the VPN will never find the tunnel due to the new ip address'.

Can it be configure where if site B and C don't see Site A, it will hop over to the second IP and use that for the VPN tunnel?

We need to replace our old Motorola Wireless AP system, and want to try the Sonic point antennas with our TZ215. But we have our WLANs across multiple interfaces.

X2 - Management LAN or Sonicwall, Switches and AP's (VLAN 1 in the network)

X5 - Mobile Device DMZ for Staff (VLAN 193 in the network)

X6 - Guest DMZ (VLAN 192 in the network)

Additional VLANs

5 - Corporate Wifi

21 - Lighting Systems

22 - Technical A/V Systems

DHCP Services are handled by our domain controllers and Routing is done through some of our Layer 3 switching in addition to the Sonicwall. The Guest Wifi Captive portal is controlled by an Untangle server.

I was going to use X3 to create a WLAN Zone, but I'm not sure how to best Setup a WLAN interface for the Management LAN and still connect these other VLANs for use by staff and guests.

Whichever interface I use i can tag the appropriate VLANs to pass the trafic, but am unsure how to get the different existing interfaces traffic to that WLAN interface without causing problems.

Hi,

I am having trouble making the Global VPN client to work when connecting from our internal Guest network in order to reach our internal Server LAN in order to reach internal resources in a safe manner. I am not sure what settings might been needed in the Sonicwall in order to achieve this?

Our setup is based on NSA 3600 and I have setup a WLAN zone in the sonicwall to allow for guests to connect to the internet. Traffic from the WLAN zone to our internal Server LAN is denied. However some users would like to be able to use the wireless network in order to reach internal resources and for that I want to use the Global VPN client. Is it even possible to use the Global VPN client from a network internal from the Sonicwalls point of view?

Using the Global VPN client from the outside is working fine

Any help is greatly appreciated and if more detailed configuration info is needed I will happily provide that.

Thank you

Hi folks:

I put in a SOHO Wireless-N a week ago for a client of mine (I'm an independent IT Consultant).

The Sonicwall Wireless-N uses TIme Warner internet on X1, has business devices on X0, has W0 for a Private Wireless Network, and X2 for a subnet connecting (2) WAPs for use by guests. (This is a bakery/restaurant).

The firmware we have on the device: SonicOS Enhanced 6.2.4.2-20n

The device is randomly locking up / freezing every day or so. Since the logging in the device isn't persistent, I enabled the SYSLOG today and started capturing DEBUG level data to review. My hope was that there would be something PRIOR to the freeze/Watchdog restart there would be some info in the SYSLOG messages that might help indicate what may have led to the restart.

My customer is *** at me. He depends upon the internet access to do credit card processing, and when the router is down, he can't do that and has to switch to manual processing (or cash). It's hurting his business.

We've only had the device for <1 week and it's done this three times so far. I have a PING-based network monitor in place, monitoring the external interface IP and sending me alerts so I can at least respond to the outage to try to look at the SYSLOGs and LOG entries to try and figure out what this is.

But the SYSLOG shows NOTHING for about (4) minutes prior to the message indicating the device is restarting. (there's a WARNING in the syslog that says the WAN IP has changed at the time the device is restarted, and the internal tracelog just notes the time the device was coming UP. There's a gap of about (4) minutes from the time the SYSLOG messages STOP arriving and the time they begin again. I'm presuming this is some kind of time that the device is needing to reboot and come back online.

I'm truly frustrated. There's nothing in the SYSLOGs indicating threats prior to the device shutdown. There's a few of these:

id=firewall sn=18B1691BBDF0 time="2015-11-21 14:30:38" fw=67.241.163.143 pri=5 msg="Unhandled link-local or multicast IPv6 packet dropped" srcV6=fe80::d4db:99b9:6f20:f6bd dstV6=ff02::c srcMac=90:48:9a:c6:75:7f dstMac=33:33:00:00:00:0c proto=udp/65535

But the knowledge base says they can be disregarded.

I'm *****DESPERATE***** to try to figure out why this device is restarting. No, I've not opened a ticket. Apparently, when you buy the unit new, you get no support unless you buy a separate service contract.

When I log into mysonicwall.com, the firmware shows that 6.2.4.2-20n is both a General Release and a BETA. So I'm wondering if I have inadvertently used beta firmware. Should I downgrade to 1-.18n?

This is the trace. Nothing in it gives a message about WHAT the exception was that caused the reboot.

11/21 06:30:53.368: startup - *** exception reboot ***
11/21 06:31:00.208: CRITICAL - Informational: str2hex:133:
11/21 06:31:00.208: CRITICAL - Invalid geo string passed
11/21 06:31:00.224: CRITICAL - Informational: fixDefaultPolicies:748:
11/21 06:31:00.224: CRITICAL - Disabling Default Rule flag for VPN To LAN policy
11/21 06:31:00.224: CRITICAL - Informational: fixDefaultPolicies:748:
11/21 06:31:00.224: CRITICAL - Disabling Default Rule flag for VPN To LAN policy
11/21 06:31:00.224: CRITICAL - Informational: fixDefaultPolicies:748:
11/21 06:31:00.224: CRITICAL - Disabling Default Rule flag for VPN To WAN policy
11/21 06:31:00.224: CRITICAL - Informational: fixDefaultPolicies:748:
11/21 06:31:00.224: CRITICAL - Disabling Default Rule flag for VPN To WAN policy
11/21 06:31:04.288: CRITICAL - Informational: setMaxSasAllowed:515:
11/21 06:31:04.288: CRITICAL - Policies Allowed: 75 Max Possible: 75 License Mgr Returned: 10
11/21 06:31:14.864: CRITICAL - Informational: wdTaskInit:517:
11/21 06:31:14.864: CRITICAL - Hardware watchdog time (10737 ms) is less than expectation (20000 ms)
showed 15 log events

I've used Sonicwall for many years. I'm not happy right now, as I've never experienced anything like this before (router unexpectedly restarting) except for extended power outages when the UPS runs out of juice and the device forcably goes out until power comes back.

I really need some help and I'm calling on anyone here to offer thoughts about what I can do to try and root cause this further. I'm out of ideas. THe syslog doesn't show anything relating to exception data, the tracelog seems void of any meaningful info. THere's no IPS errors, networking errors that are listed in the log files.

But the router just goes Kaput! and decides to reboot itself.

Need help please. ANyone who has meaningful suggestions on what I could do (downgrade to 1-18n?) to try to get this resolved.

I don't know what O/S they use internally, and I get that these things are complicated software /hardware devices.

I just need it to be able to be *UP* for more than a day at a time without causing a restart. My customer is getting ready to kill me. I'm thinking about putting in a pfSense device in instead, or an ASA5505. But I believe my customer would make me eat the cost of doing that, and I am just not financially well off to do that. If money were no issue, I'd replace it in a heartbeat.

Truly hoping for peer to peer support and ideas on what I can do next to try to figure out how to keep this device up for more than one day at a time.

So Crypto wall 4.00 made a unwelcome  appearance on my network today, Despite having the best practices and recommendations applied by sonic wall (Blocking Tor access and SSl's) it got through and infected one machine before my crypto-canary monitor alerted me. 

Since this bypassed the tor restriction (for RSA key swapping) will sonicwall be doing updates?

Hi All,

After spending an hour with SW support and having no luck, I've finally decided to try these forums.

I have two NSA e6500, in the same room, and I'm trying to set up HA Active/Active Clustering. But I only have the option for Active / Standby and Active / Active DPI. At first I thought it was a licensing issue, but I've been told by SW support (on multiple occasions), that I am licensed for Active/Active Clustering. I'm starting to believe I have the cabling incorrect. I have a crossover cable connected between the two Firewalls at the HA ports, as well as two additional straight through cables at ports x4 and x5. Both units are on the latest firmware.

Thanks in advance.

Hi,

I'd like to know how to determine the correct MTU size to set in the properties of the WAN interface (in my case, NSA appliances).

First. I noticed that with SonicOS Enhanced 5.9.x, there's a Diagnostic Tool called PMTU Discovery:

This tool isn't available with SonicOS Enhanced 5.8.x.

I guess that using this integrated tool is a way to determine the correct MTU size to apply.

Secondly, for SonicOS versions that don't have this tool and to simply understand how to manually determine the MTU size, I'd like to know what method to follow.

On Internet, I found this method using the ping -f -l command. Once you determined the biggest packet size possible, it asks you to add 28 to that number and you get the MTU size to set on the interface.

Case Study:

In my company, there are 2 sites: 1 in China and 1 in South Korea. Both have a SonicWALL NSA firewall.

When determining the MTU size to apply from the Chinese site, I get the same results with the 2 methods above mentioned.

Using PMTU Discovery:

I enter 2 IPs: 8.8.8.8 and the Korean FW's WAN IP. I get the same result: 1500.

I noticed however that the MTU size has to be set to its maximum size (1500) on the WAN interface's properties for this test to work properly. Indeed, when I set it to 1404 to test, Discovery PMTU found 1404 as the MTU size:

Using ping -f -l:

When using the ping method with the Korea FW's WAN IP, I found 1472 as the maximum packet size:

According to the method I read on Internet, adding 28 will get me a MTU size of 1500, same as the PMTU Discovery method.

My question are: do you confirm that these 2 methods are correct to determine the MTU size to set on the WAN interface? Especially the one using the ping? If not, how to do?

Thanks in advance for your feedback.

I am trying to update java and it is being blocked by GAV on a sonicwall NSA2600 with SonicOS Enhanced 6.2.2.2-19n.

I also tried to download directly for a new install from java.com.  Same thing.

I get: Gateway Anti-Virus Alert: (Cloud Id: 30710517) Agent.FL (Trojan) blocked

Is this a false positive?

Hi all,

I'm new here on this forum. Please bare with me for my post :)

I'm using SonicWall 3600 with Stateful HA configuration. We're planning to enable BGP to support the requirement of our end point connection.

My questions are:

1) When the stateful HA is enable, is BGP configuration sync to backup device? 

2) Do I need to purchase BGP license for both (Active/Backup) devices?

3) Is it ideal to use Stateful HA configuration when BGP is enabled?

Hope someone can help me:)

Thanks in advance,

Joven D.

Hi all,

I'm new here on this forum, please bare me with my post :)

I'm using SonicWall 3600 with Stateful HA configuration. I'm working on new leased line connection coming from other company. Their configuration require BGP in order to communicate to their router. I'm newby with BGP and I'm reading KB article of SonicWall about BGP. I have questions of capabilities of Statful HA configuration when BGP is enabled.

My questions are:

1) Is it going to work while the Stateful HA configuration is in place and I want to enable BGP?

2) Is it ideal to use Stateful HA configuration when BGP is enabled?

3) When the stateful HA is enable, is BGP configuration sync to backup device?

4) Do I need to purchase BGP license for both (Active/Backup) devices?

Hope someone can help me :)

Thanks in Advace!

While looking for information in regards NSA 4600 HA configuration I found this link which is contradicting other information that specifies that HA Active / Active DPI and Active / Active Clustering is not supported for this Model.

Please confirm which is the case for this specific model

support.software.dell.com/.../181553

Hello All,

I am using SonicWALL TZ 215 wireless-N, Firmware: SonicOS Enhanced 5.8.1.15-51o

I have enabled Wi-Fi on my device, but facing strange problem that often my Wi-Fi didn’t allow some device to connect, and when I power out my device and restart it, all the device connect with Wi-Fi again?

Any solutions will be appreciated.

Thanks & regards

Problem: Sonos iPhone/iPad App cannot connect to Sonos Connect:Amp (zone player).

Configuration:

1. X0 (LAN port) of SonicWall TZ 100 has IP 192.168.168.1
2. X1 (WAN port) of SonicWall TZ 100 has dynamic IP from ISP.
3. X4 (WLAN port) of SonicWall TZ 100 has IP 192.168.10.1 and is connected to SonicPointN.
4. PC has IP 192.168.168.20 and is connected to LAN via ethernet cable.
5. Sonos Connect:Amp (zone player) has IP 192.168.168.25 and is connected to LAN via ethernet cable.
6. iPad has IP 192.168.10.20 and has strong WiFi connection to SonicPointN.
7. Summary: PC and Sonos Connect:Amp (zone player) are on wired ethernet network 192.168.168.xxx, while iPad is on WiFi network 192.168.10.xxx.

What's Working:

1. PC CAN connect to the internet.
2. PC CAN connect to/control the Sonos Connect:Amp (zone player) via Sonos application.
3. iPad CAN connect to the internet.

What's NOT working:

1. iPad CANNOT connect to Sonos Connect:AMP to control it via Sonos iPad App.

From the tech support people at Sonos:

1. Sonos Controller MUST be on SAME sub-net as Sonos Connect:Amp (zone player).
2. With PC-based Sonos Controller, they are on the same sub-net (both on 192.168.168.xxx)
3. With iPad based Sonos Controller, they are not on the same sub-net).  Sonos Connect:Amp (zone player) is on 192.168.168.xxx while iPad with Sonos Controller App is on 192.168.10.xxx.

What I've tried so far:

1. Dell SonicWall Knowledge Base article SW6196 with "services" defined as per Sonos support document "Configuring your firewall to work with Sonos" (article 692).  Result: I was able to configure the TZ 100 as described, but it did not fix the problem.
2. Dell SonicWall Knowledge Base article SW7081.  Result: I could not configure the TZ 100 as described/got errors.  Not sure this is the route I want to go anyway for security reasons.

Any help greatly appreciated!

I am looking at possibly updating our SonicOS Enhanced firmware due to some VPN issues. We are currently on 5.8.1.15-71.o, which is the most current General Release, released in May 2014. I don't understand the SW lineage of new firmware. I see that there have been many releases since May 2014 all of which are called Early Release. There are also two paths to choose--5.8 and 5.9. How do you make the decision on when to move from 5.8 to 5.9? If 5.9 is better than 5.8, why keep updating 5.8? I was looking for some documentation that compares the two OS versions but didn't find anything. Neither OS release notes says that the problem I'm experiencing is fixed in that version. It seems kind of strange to list something released in Nov 2014 as an Early Release.

Hallo

Jedes mal wenn ich mich auf die Sonicwall  TZ 210 einloggen will kommt folgendes:

Wieso kommt diese nervige Meldung und wie deaktiviere ich diese?

----

On englisch:

Why does i recive  this error:

How can i disable this message?

2. Question who can i download Firmware from sonicwall tz 210?

thank you!