- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Traffic not passing through the site-to-site VPN tunnel
10/14/2021 
3,118 People found this article helpful
75,643 Views
Description
In this scenario, the customer has a site to site IPSec VPN tunnel between two SonicWall appliances. The tunnel status shows up and running but the traffic cannot pass through the VPN.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- To check the Log Monitor, Navigate to Monitor | Logs | System Logs, see if any error/prevention/block/failed logs related to the traffic.
EXAMPLE: IP spoof dropped alert in the log. Then try to find out why the icmp packets is dropped as IP spoof. - To capture packets on the WAN interface, Navigate to Monitor | Tools and Monitors | Packet Monitor. Click General at the top of the page to configure the packet capture monitoring and displaying settings. In this case, while pinging from LAN side of SonicWall to the remote gateway, the SonicWall is generating an ICMP redirect packet. So it looks like a routing issue rather than a site to site VPN one.
Then on SonicWall firewall GUI navigate to Policy| Rules and Policies | Routing Rules , and check the route policies.
- From the route policy entry, check for see the Remote Address Object which has a 31-Bit subnet mask. Actually this is the root cause of the issue. The 31-Bit subnet mask is not supported by SonicOS yet. So the firewall appliance does not recognize the traffic from the specific network.
Background
With ever-increasing pressure to conserve IP address space on the Internet, it makes sense to consider where relatively minor changes can be made to fielded practice to improve numbering efficiency. One such change is to halve the amount of address space assigned to point-to-point links (common throughout the Internet infrastructure) by allowing the use of 31-bit subnet masks in a very limited way. Note that a point-to-point link in which only one end supports the use of 31- bit prefixes may not operate correctly.
RFC 3021 specifies an exception to this rule for 31-bit subnet masks, which means the host identifier is only one bit long for two permissible addresses. In such networks, usually point-to-point links, only two hosts (the end points) may be connected and a specification of network and broadcast addresses is not necessary.
Workaround 1
- Change the subnet mask of the address objects.
- Navigate to Objects|Match Objects |Addresses.
- Click Configure button next to the address object of the remote networks.
- Change the Netmask/Prefix Length from 255.255.255.254 to 255.255.255.0(or other subnet mask), then click OK.
Workaround 2
- Change the type of the address objects from Network to Range.
- Navigate to Objects|Match Objects |Addresses
- Click Configure button next to the address object of the remote networks.
- Change the Type from Network to Range.
- Set the Starting and Ending IP Addresses and then click OK.
How to Test
- Ping from the local network behind SonicWall appliance to the Remote 31-Bit subnet IP. And the traffic should be pass through the tunnel.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- To check the Log Monitor, Navigate to Investigate | Logs | Event Logs, see if any error/prevention/block/failed logs related to the traffic.
EXAMPLE: IP spoof dropped alert in the log. Then try to find out why the icmp packets is dropped as IP spoof. - To capture packets on the WAN interface, Navigate to Investigate | Tools | Packet Monitor. Click Configure at the bottom of the page. In this case, while pinging from LAN side of SonicWall to the remote gateway, the SonicWall is generating an ICMP redirect packet. So it looks like a routing issue rather than a site to site VPN one.
- Then on SonicWall firewall GUI navigate to Manage | Network | Routing, and check the route policies.
- From the route policy entry, check for see the Remote Address Object which has a 31-Bit subnet mask. Actually this is the root cause of the issue. The 31-Bit subnet mask is not supported by SonicOS yet. So the firewall appliance does not recognize the traffic from the specific network.
Background
With ever-increasing pressure to conserve IP address space on the Internet, it makes sense to consider where relatively minor changes can be made to fielded practice to improve numbering efficiency. One such change is to halve the amount of address space assigned to point-to-point links (common throughout the Internet infrastructure) by allowing the use of 31-bit subnet masks in a very limited way. Note that a point-to-point link in which only one end supports the use of 31- bit prefixes may not operate correctly.
RFC 3021 specifies an exception to this rule for 31-bit subnet masks, which means the host identifier is only one bit long for two permissible addresses. In such networks, usually point-to-point links, only two hosts (the end points) may be connected and a specification of network and broadcast addresses is not necessary.
Workaround 1
- Change the subnet mask of the address objects.
- Navigate to Manage | Policies | Objects | Address Objects.
- Click Configure button next to the address object of the remote networks.
- Change the Netmask/Prefix Length from 255.255.255.254 to 255.255.255.0(or other subnet mask), then click OK.
Workaround 2
- Change the type of the address objects from Network to Range.
- Navigate to Manage | Policies | Objects | Address Objects.
- Click Configure button next to the address object of the remote networks.
- Change the Type from Network to Range.
- Set the Starting and Ending IP Addresses and then click OK.
How to Test
- Ping from the local network behind SonicWall appliance to the Remote 31-Bit subnet IP. And the traffic should be pass through the tunnel.
See Also:
Site To Site VPN Tunnel Is Up But Only Passing Traffic In One Direction
Related Articles
- How to force an update of the Security Services Signatures from the Firewall GUI
- How to upload security services signatures manually on Closed Environments?
- How to Create Gen 7 Settings File by Using the Online Migration Tool
Categories
- Firewalls > NSa Series > VPN
- Firewalls > TZ Series > VPN
- Firewalls > NSv Series > VPN
YES
NO