Support
Community

Configurations would be useful.  Quick things to check for a minimal configuration:

• Do you have the default route to the provider end of the multilink T1s ip route 0.0.0.0 0.0.0.0 www.xxx.yyy.zzz  ?
• Is the firewall on the 3430 disabled no ip firewall ?
• Can you ping both the Sonicwall (may need to enable it as a rule) and an external Internet address from the 3430?

Thanks for the quick response.

Should I attach the configs or paste them in to a reply?

both have the same ip route 0.0.0.0 0.0.0.0 xx.yyy.z.137

I don't see a line of just no ip firewall but there are two others that are similar "no ip firewall alg msn" and "no ip firewall alg h323"

The firewall was one of my concerns when I read that this unit has that capabilities today.

I just enabled ping response today on the sonicwall because we couldn't ping the external side of the sonicwall last night when we were trying to turn up and test.  The tech did claim that they could ping the internet address from the 3430.

Message was edited by: retech -------------------------------------------------------------------------------------------------------------------------------------------

AdTran NetVanta 3430 Config:

!

clock timezone 0

clock no-auto-correct-DST

!

!

ip subnet-zero

ip classless

ip routing

!

no auto-config

!

event-history on

no logging forwarding

no logging email

!

service password-encryption

!

!

no ip firewall alg msn

no ip firewall alg h323

!

no dot11ap access-point-controller

!

interface eth 0/1

description LAN Block xxx.yyy.zz.192/27

ip address xxx.yyy.zz.193  255.255.255.224

no ip proxy-arp

no shutdown

no lldp send-and-receive

!

!

interface eth 0/2

description Not in USE!

no ip address shutdown

no lldp send-and-receive

!

interface t1 1/1

description xxxxxxx

tdm-group 1 timeslots 1-24 speed 64

no shutdown

!

interface t1 1/2

description xxxxxxx

clock source through

tdm-group 1 timeslots 1-24 speed 64

no shutdown

!

interface ppp 1

description xxxxxx

ip address   xx.yyy.z.138     255.255.255.252

ip ffe

ppp multilink

no shutdown

cross-connect 1 t1 1/1 1 ppp 1

cross-connect 2 t1 1/2 1 ppp 1

!

!

ip access-list standard VtyAccess

remark xxxxx

permit xxx.yyy.zzz.128 0.0.0.127

!

!

!

ip route 0.0.0.0 0.0.0.0  xx.yyy.z.137

!

!

no ip tftp server

no ip tftp server overwrite

no ip http server

no ip http secure-server

no ip snmp agent

no ip ftp server

ip ftp server default-filesystem flash

no ip scp server

no ip sntp server

!

!

line con 0

login local-userlist

!

line telnet 0

4 login local-userlist

no shutdown

access-class VtyAccess in

line ssh 0

4 login local-userlist

no shutdown

access-class VtyAccess in

!

exit

!

ntp peer xxx.y.zz.28

!

Message was edited by: retech---------------------------------------------------------------------------------------------------------------------------------------------------------------

Cisco 2600 Config:

xxxxx#show config

Using 1215 out of 29688 bytes

!

version 12.0

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

no service password-encryption

!

hostname xxxxx

!

logging buffered 8012 debugging

enable password

!

!

!

!

!

memory-size iomem 25

clock timezone CST -6

clock summer-time CDT recurring

ip subnet-zero

no ip source-route

no ip finger

ip name-server xxx.yyy.z.65

ip name-server xxx.yyy.z.65

!

isdn voice-call-failure 0

!

!

!

interface FastEthernet0/0

description xxxxx

ip address xxx.yyy.zz.193 255.255.255.224

no ip directed-broadcast

duplex auto

speed auto

!

interface Serial0/0

description xxxxx

ip address xx.yyy.z.138 255.255.255.252

no ip directed-broadcast

no ip mroute-cache

no fair-queue

!

interface BRI0/0

no ip address

no ip directed-broadcast

shutdown

isdn guard-timer 0 on-expiry accept

!

interface FastEthernet0/1

no ip address

no ip directed-broadcast

shutdown

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 xx.yyy.z.137

no ip http server

!

!

line con 0

transport input none

line aux 0

line vty 0 4

password login

!

ntp server xxx.yy.zz.1

ntp server xxx.yy.zz.20

no scheduler allocate

end

Looks OK, you can try adding "no ip firewall" from the config prompt and see if that fixes it.

Or, you can leave the firewall on with a simple ruleset.

ip access-list standard allow-all-list

  permit any

ip access-list extended ether-in-list

  permit ip any xxx.yyy.zz.192  0.0.0.31   ! < xxx.yy.zz is your LAN block here

ip access-list extended ether-out-list

  permit ip xxx.yyy.zz.192  0.0.0.31 any

ip policy-class Public

  allow list ether-in-list policy Ethernet

  allow list allow-all-list self

ip policy-class Ethernet

  allow list ether-out-list policy Public

  allow list allow-all-list self

interface ppp 1

ip access-policy Public

interface FastEthernet0/0

  ip access-policy Ethernet

If all else fails, from the Adtran can you:

• ping both the Sonicwall and a host on the Internet
• paste "show ip route" output
• paste "show arp" output

Thanks for the additional options!

I will give those a try tonight again (can't switch back over until after 6pm CST due to use of the current setup).

We did try putting in "no ip firewall' but it didn't do seem to change anything last night.

From within the adtran we can ping the wan interface of the sonicwall and the internet, but I didn't know about the show ip route and show arp options.

From the sonicwall I can ping the eth interface of the adtran but not the ppp interface or beyond.

From my desktop (goes out a separate firewall and separate 3mb connection) I can ping the ppp interface of the adtran but it stops there when actually trying to ping the wan interface of the sonicwall (with the cisco I can trace route all the way through to the wan interface of the sonicwall).

From a test laptop that is set to only use this link (sonicwall set as gateway) we are trying to upgrade it stops at the network interface of the sonicwall when trying to ping my other 3mb connection (basically trace routing to an internet ip)  (with the cisco in place it trace routes all the way through to the other 3mb connection we have).  The cisco trace routes were done yesterday so I could provide my ISP with documentation supporting that it looks to be dropping in the adtran but they don't agree.

Here's why they don't agree, we also connected a laptop just using the same static ip and subnet as the sonicwall has assigned and the laptop can get through the adtran to the internet?

I'm starting to wonder what's really causing the issue here.  I am looking at the option of getting sonicwall support online to look at the sonicwall at the same time incase the sonicwall is dropping all packets from the adtran for some reason.

Being a newbie here, I am wondering, can I mark your response as helpful and come back and mark it as correct if your options fix the issue tonight?

Thanks again for all the help!

retech wrote:

Here's why they don't agree, we also connected a laptop just using the same static ip and subnet as the sonicwall has assigned and the laptop can get through the adtran to the internet? I'm starting to wonder what's really causing the issue here.  I am looking at the option of getting sonicwall support online to look at the sonicwall at the same time incase the sonicwall is dropping all packets from the adtran for some reason.

Oh really!  Check if there's a static ARP entry in the Sonicwall for the Cisco.  I'm not a Sonicwall expert so can't advise exactly where to look for this but it sounds like you're on to it.  Typical ARP timeout I think is 20 minutes for Sonicwall.  You may have to either reboot the Sonicwall or wait, or try a ping from the Adtran to give it an ARP.

Alternatively, unless you need some features unique to the Sonicwall consider removing it and using the Adtran as the firewall as well as Internet router.

Curiously, Adtran was at one point private-branding Sonicwalls under the Adtran label but I think they recently dropped them.

I have been look at the ARP table on the sonicwall and flushing the arp cache and then pinging the adtran does result in a new mac address (different than the cisco) arp entry.  We also tried using the cisco's mac address in the adtran to fake out the sonicwall but that made no difference either.

I would switch out the sonicwall but it is a unique situation where I was able to get some vpn voip Avaya phones to connect through the sonicwall (remote agents) and even the phone techs from the company we bought the system from have no idea how I got it to work so changing to the adtran's firewall wouldn't be ideal for us, nor for the fact that we are leasing the adtran from the ISP so I don't/wouldn't have access to make changes as needed to that firewall as I do from time to time.

I'll see where I get with sonicwall's support (so far not so helpful but it was a quick conversation more about whether or not there are known issues between adtran's and sonicwalls but basically they suggested these: check status which I had told them says connected and full duplex, check arp which I had told them I already made sure it was a new entry, and reboot which both devices we had tried this on many times before).

Thanks again for the help!