Firewall management not working over VPN, packet capture shows a Packet Dropped - Policy Drop

07/18/2022 12 People found this article helpful 186,261 Views

Download

Print

Share

• LinkedIn
• Twitter
• Facebook
• Email
• Copy URL The link has been copied to clipboard

Description

In deployments spread across multiple sites, VPNs are created for the secure transfer of traffic from one site to another. In some cases, Firewall Admins might have to log in to remote side firewalls and SonicWall allows us an option to do that as long as the remote side firewall has HTTPS management enabled on VPN.

For detailed instructions on Firewall management over VPN please refer to the following KB: Remotely manage the SonicWall through a vpn tunnel

When the HTTPS option is enabled on a VPN, the firewall creates an Access Rule from VPN to LAN with service HTTPS management and sets the action as Allow. 

Example:

In some cases, the Firewall drops this management traffic as Packet Dropped - Policy Drop. Firewall Admins will be able to verify it if they capture the traffic flow using the Packet Monitor feature of the Firewall.

Example: In the below screenshot it can be noticed that the traffic from the VPN for Port 443 TCP is being Dropped as Packet Dropped - Policy Drop.

Cause

The reason for this issue is that the Access Rule created for management is not getting triggered.  This can be verified from the statistics on the Access Rule. The statistics on the Access Rule will show a "0" under all sections

Resolution

•  On the Access Rule, Click Configure.
• A Checkbox labeled as Enable Management can be seen at the bottom of the Popup screen.
• This option will be Set to a Checked/ Enabled state or Unchecked/disabled state. This behavior is firmware-specific. Try toggling the state of this checkbox (If it is "Checked/Enabled", try "Unchecking/Disabling" and Vice-Versa)  and see if the issue is fixed.
  
  
  
• If the issue is still not fixed, please reach out to Technical Support for further troubleshooting. 
  There are two ways to contact technical support:

  1. Online: Visit mysonicwall.com. Once logged in select Resources & Support | Support | Create Case. 

  2. By phone: please use our toll-free number at 1-888-793-2830. Please have your SonicWall serial number available to create a new support case.

  If you do not have a mysonicwall.com account create one for free!

Related Articles

• Bandwidth usage and tracking in SonicWall
• How to force an update of the Security Services Signatures from the Firewall GUI
• Configure Guest VLAN in the TZ firewall, for guest users to access Internet only.

Categories

• Firewalls > NSa Series > Firewall Management
• Firewalls > NSsp Series > Firewall Management
• Firewalls > SonicWall NSA Series > Firewall Management UI
• Firewalls > SonicWall SuperMassive 9000 Series > Firewall Management UI
• Firewalls > TZ Series > Firewall Management UI