Port forwarding for IPsec service(500, 4500) from WAN to LAN with Drop Code: 735 - Drop Bounce same link pkt

Sometimes, we have see that there is an internal VPN server on LAN and somewhere from outside (from Internet) a VPN connection is built to connect to this server.

From outside, it can try to connect to X1 IP or any IP provided from the ISP as gateway. This document will help if there is a drop packet as: Drop Code: 735 - Drop Bounce same link pkt

It can be a misconfiguration on Firewall or on the other side. We have to check the settings internal on firewall.

On this kind of scenario, generally the connection is initiated from outside and there is a constant attempt made to establish connection.

And, there is no separate VPN tunnel. NAT and access rules are only needed.

Here, 212.6.104.91 is the WAN IP for reference. When we run a packet capture for udp 500, 4500 ports with destination as the WAN IP, we get the below drop:

Also, assuming that the NAT and access rules are correct to translate the traffic to the internal IP for ports 500, 4500.

Settings can be checked as per the KB below:

How can I enable port forwarding and allow access to a server through the SonicWall? | SonicWall

Generally, if this drop is present, there will not be any hits on access rule or NAT.

We have to check the service group added. Many times, we have seen that only IPSEC group is added to the NAT and access rule.

IKE group also has to be added here as it contains the required 500 and 4500 ports.

After confirming the above points, run the capture again. This drop issue will be fixed.