We're currently trying to upgrade our internet service and have an existing SonicWall TZ 210 connected to a Cisco 2600 router for a single T1 connection. Our new connection uses the same SonicWall but connects to an AdTran NetVanta 3430 with 2 T1s. The configurations should be the same as we are keeping our existing ISP and external block of IP addresses. The problem is as soon as we make the change over we loose the link (can no longer ping the internet from the sonicwall). Our ISP claims they can ping the internet from within the new Netvanta router so they believe its our firewall that's the problem yet if we change it all back (back to single T1 and cisco router) instantly everything works again.
Has anyone heard of anything similar to this or is there something known to look for that might be missing or not provided within the new router to the sonicwall that would have been provided by the cisco before?
I realize there are a lot of blanks to fill in but here's a few, all interfaces are exactly the same ip addresses on each router (old and new) and the only ip route statement in each router is a 0.0.0.0 0.0.0.0 route
I can provide the configs for each router if that would be helpful.
Also the Firewall gets a new entry from the new router in the ARP table so I know the firewall sees the new device...
Thank you for your time.
Configurations would be useful. Quick things to check for a minimal configuration:
Thanks for the quick response.
Should I attach the configs or paste them in to a reply?
both have the same ip route 0.0.0.0 0.0.0.0 xx.yyy.z.137
I don't see a line of just no ip firewall but there are two others that are similar "no ip firewall alg msn" and "no ip firewall alg h323"
The firewall was one of my concerns when I read that this unit has that capabilities today.
I just enabled ping response today on the sonicwall because we couldn't ping the external side of the sonicwall last night when we were trying to turn up and test. The tech did claim that they could ping the internet address from the 3430.
Message was edited by: retech -------------------------------------------------------------------------------------------------------------------------------------------
AdTran NetVanta 3430 Config:
!
clock timezone 0
clock no-auto-correct-DST
!
!
ip subnet-zero
ip classless
ip routing
!
no auto-config
!
event-history on
no logging forwarding
no logging email
!
service password-encryption
!
!
no ip firewall alg msn
no ip firewall alg h323
!
no dot11ap access-point-controller
!
interface eth 0/1
description LAN Block xxx.yyy.zz.192/27
ip address xxx.yyy.zz.193 255.255.255.224
no ip proxy-arp
no shutdown
no lldp send-and-receive
!
!
interface eth 0/2
description Not in USE!
no ip address shutdown
no lldp send-and-receive
!
interface t1 1/1
description xxxxxxx
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface t1 1/2
description xxxxxxx
clock source through
tdm-group 1 timeslots 1-24 speed 64
no shutdown
!
interface ppp 1
description xxxxxx
ip address xx.yyy.z.138 255.255.255.252
ip ffe
ppp multilink
no shutdown
cross-connect 1 t1 1/1 1 ppp 1
cross-connect 2 t1 1/2 1 ppp 1
!
!
ip access-list standard VtyAccess
remark xxxxx
permit xxx.yyy.zzz.128 0.0.0.127
!
!
!
ip route 0.0.0.0 0.0.0.0 xx.yyy.z.137
!
!
no ip tftp server
no ip tftp server overwrite
no ip http server
no ip http secure-server
no ip snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
line con 0
login local-userlist
!
line telnet 0
4 login local-userlist
no shutdown
access-class VtyAccess in
line ssh 0
4 login local-userlist
no shutdown
access-class VtyAccess in
!
exit
!
ntp peer xxx.y.zz.28
!
Message was edited by: retech---------------------------------------------------------------------------------------------------------------------------------------------------------------
Cisco 2600 Config:
xxxxx#show config
Using 1215 out of 29688 bytes
!
version 12.0
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
no service password-encryption
!
hostname xxxxx
!
logging buffered 8012 debugging
enable password
!
!
!
!
!
memory-size iomem 25
clock timezone CST -6
clock summer-time CDT recurring
ip subnet-zero
no ip source-route
no ip finger
ip name-server xxx.yyy.z.65
ip name-server xxx.yyy.z.65
!
isdn voice-call-failure 0
!
!
!
interface FastEthernet0/0
description xxxxx
ip address xxx.yyy.zz.193 255.255.255.224
no ip directed-broadcast
duplex auto
speed auto
!
interface Serial0/0
description xxxxx
ip address xx.yyy.z.138 255.255.255.252
no ip directed-broadcast
no ip mroute-cache
no fair-queue
!
interface BRI0/0
no ip address
no ip directed-broadcast
shutdown
isdn guard-timer 0 on-expiry accept
!
interface FastEthernet0/1
no ip address
no ip directed-broadcast
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 xx.yyy.z.137
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password login
!
ntp server xxx.yy.zz.1
ntp server xxx.yy.zz.20
no scheduler allocate
end
Looks OK, you can try adding "no ip firewall" from the config prompt and see if that fixes it.
Or, you can leave the firewall on with a simple ruleset.
ip access-list standard allow-all-list
permit any
ip access-list extended ether-in-list
permit ip any xxx.yyy.zz.192 0.0.0.31 ! < xxx.yy.zz is your LAN block here
ip access-list extended ether-out-list
permit ip xxx.yyy.zz.192 0.0.0.31 any
ip policy-class Public
allow list ether-in-list policy Ethernet
allow list allow-all-list self
ip policy-class Ethernet
allow list ether-out-list policy Public
allow list allow-all-list self
interface ppp 1
ip access-policy Public
interface FastEthernet0/0
ip access-policy Ethernet
If all else fails, from the Adtran can you:
Thanks for the additional options!
I will give those a try tonight again (can't switch back over until after 6pm CST due to use of the current setup).
We did try putting in "no ip firewall' but it didn't do seem to change anything last night.
From within the adtran we can ping the wan interface of the sonicwall and the internet, but I didn't know about the show ip route and show arp options.
From the sonicwall I can ping the eth interface of the adtran but not the ppp interface or beyond.
From my desktop (goes out a separate firewall and separate 3mb connection) I can ping the ppp interface of the adtran but it stops there when actually trying to ping the wan interface of the sonicwall (with the cisco I can trace route all the way through to the wan interface of the sonicwall).
From a test laptop that is set to only use this link (sonicwall set as gateway) we are trying to upgrade it stops at the network interface of the sonicwall when trying to ping my other 3mb connection (basically trace routing to an internet ip) (with the cisco in place it trace routes all the way through to the other 3mb connection we have). The cisco trace routes were done yesterday so I could provide my ISP with documentation supporting that it looks to be dropping in the adtran but they don't agree.
Here's why they don't agree, we also connected a laptop just using the same static ip and subnet as the sonicwall has assigned and the laptop can get through the adtran to the internet?
I'm starting to wonder what's really causing the issue here. I am looking at the option of getting sonicwall support online to look at the sonicwall at the same time incase the sonicwall is dropping all packets from the adtran for some reason.
Being a newbie here, I am wondering, can I mark your response as helpful and come back and mark it as correct if your options fix the issue tonight?
Thanks again for all the help!
retech wrote:
Here's why they don't agree, we also connected a laptop just using the same static ip and subnet as the sonicwall has assigned and the laptop can get through the adtran to the internet?
I'm starting to wonder what's really causing the issue here. I am looking at the option of getting sonicwall support online to look at the sonicwall at the same time incase the sonicwall is dropping all packets from the adtran for some reason.
Oh really! Check if there's a static ARP entry in the Sonicwall for the Cisco. I'm not a Sonicwall expert so can't advise exactly where to look for this but it sounds like you're on to it. Typical ARP timeout I think is 20 minutes for Sonicwall. You may have to either reboot the Sonicwall or wait, or try a ping from the Adtran to give it an ARP.
Alternatively, unless you need some features unique to the Sonicwall consider removing it and using the Adtran as the firewall as well as Internet router.
Curiously, Adtran was at one point private-branding Sonicwalls under the Adtran label but I think they recently dropped them.
I have been look at the ARP table on the sonicwall and flushing the arp cache and then pinging the adtran does result in a new mac address (different than the cisco) arp entry. We also tried using the cisco's mac address in the adtran to fake out the sonicwall but that made no difference either.
I would switch out the sonicwall but it is a unique situation where I was able to get some vpn voip Avaya phones to connect through the sonicwall (remote agents) and even the phone techs from the company we bought the system from have no idea how I got it to work so changing to the adtran's firewall wouldn't be ideal for us, nor for the fact that we are leasing the adtran from the ISP so I don't/wouldn't have access to make changes as needed to that firewall as I do from time to time.
I'll see where I get with sonicwall's support (so far not so helpful but it was a quick conversation more about whether or not there are known issues between adtran's and sonicwalls but basically they suggested these: check status which I had told them says connected and full duplex, check arp which I had told them I already made sure it was a new entry, and reboot which both devices we had tried this on many times before).
Thanks again for the help!
I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Noor