Traffic not passing through the site-to-site VPN tunnel
03/09/2021 
2879 
42237
DESCRIPTION:
In this scenario, the customer has a site to site IPSec VPN tunnel between two SonicWall appliances. The tunnel status shows up and running but the traffic cannot pass through the VPN.
RESOLUTION:
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
- To check the Log Monitor, Navigate to Monitor | Logs | System Logs, see if any error/prevention/block/failed logs related to the traffic.
EXAMPLE: IP spoof dropped alert in the log. Then try to find out why the icmp packets is dropped as IP spoof.
- To capture packets on the WAN interface, Navigate to Monitor | Tools and Monitors | Packet Monitor. Click General at the top of the page to configure the packet capture monitoring and displaying settings. In this case, while pinging from LAN side of SonicWall to the remote gateway, the SonicWall is generating an ICMP redirect packet. So it looks like a routing issue rather than a site to site VPN one.
Then on SonicWall firewall GUI navigate to Policy| Rules and Policies | Routing Rules , and check the route policies.
- From the route policy entry, check for see the Remote Address Object which has a 31-Bit subnet mask. Actually this is the root cause of the issue. The 31-Bit subnet mask is not supported by SonicOS yet. So the firewall appliance does not recognize the traffic from the specific network.
Background
With ever-increasing pressure to conserve IP address space on the Internet, it makes sense to consider where relatively minor changes can be made to fielded practice to improve numbering efficiency. One such change is to halve the amount of address space assigned to point-to-point links (common throughout the Internet infrastructure) by allowing the use of 31-bit subnet masks in a very limited way. Note that a point-to-point link in which only one end supports the use of 31- bit prefixes may not operate correctly.
RFC 3021 specifies an exception to this rule for 31-bit subnet masks, which means the host identifier is only one bit long for two permissible addresses. In such networks, usually point-to-point links, only two hosts (the end points) may be connected and a specification of network and broadcast addresses is not necessary.
Workaround 1
- Change the subnet mask of the address objects.
- Navigate to Objects|Match Objects |Addresses.
- Click Configure button next to the address object of the remote networks.
- Change the Netmask/Prefix Length from 255.255.255.254 to 255.255.255.0(or other subnet mask), then click OK.
Workaround 2
- Change the type of the address objects from Network to Range.
- Navigate to Objects|Match Objects |Addresses
- Click Configure button next to the address object of the remote networks.
- Change the Type from Network to Range.
- Set the Starting and Ending IP Addresses and then click OK.
How to Test
- Ping from the local network behind SonicWall appliance to the Remote 31-Bit subnet IP. And the traffic should be pass through the tunnel.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
- To check the Log Monitor, Navigate to Investigate | Logs | Event Logs, see if any error/prevention/block/failed logs related to the traffic.
EXAMPLE: IP spoof dropped alert in the log. Then try to find out why the icmp packets is dropped as IP spoof.
- To capture packets on the WAN interface, Navigate to Investigate | Tools | Packet Monitor. Click Configure at the bottom of the page. In this case, while pinging from LAN side of SonicWall to the remote gateway, the SonicWall is generating an ICMP redirect packet. So it looks like a routing issue rather than a site to site VPN one.
- Then on SonicWall firewall GUI navigate to Manage | Network | Routing, and check the route policies.
- From the route policy entry, check for see the Remote Address Object which has a 31-Bit subnet mask. Actually this is the root cause of the issue. The 31-Bit subnet mask is not supported by SonicOS yet. So the firewall appliance does not recognize the traffic from the specific network.
Background
With ever-increasing pressure to conserve IP address space on the Internet, it makes sense to consider where relatively minor changes can be made to fielded practice to improve numbering efficiency. One such change is to halve the amount of address space assigned to point-to-point links (common throughout the Internet infrastructure) by allowing the use of 31-bit subnet masks in a very limited way. Note that a point-to-point link in which only one end supports the use of 31- bit prefixes may not operate correctly.
RFC 3021 specifies an exception to this rule for 31-bit subnet masks, which means the host identifier is only one bit long for two permissible addresses. In such networks, usually point-to-point links, only two hosts (the end points) may be connected and a specification of network and broadcast addresses is not necessary.
Workaround 1
- Change the subnet mask of the address objects.
- Navigate to Manage | Policies | Objects | Address Objects.
- Click Configure button next to the address object of the remote networks.
- Change the Netmask/Prefix Length from 255.255.255.254 to 255.255.255.0(or other subnet mask), then click OK.
Workaround 2
- Change the type of the address objects from Network to Range.
- Navigate to Manage | Policies | Objects | Address Objects.
- Click Configure button next to the address object of the remote networks.
- Change the Type from Network to Range.
- Set the Starting and Ending IP Addresses and then click OK.
How to Test
- Ping from the local network behind SonicWall appliance to the Remote 31-Bit subnet IP. And the traffic should be pass through the tunnel.
See Also:
Site To Site VPN Tunnel Is Up But Only Passing Traffic In One Direction
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
