BWC Cybersecurity Overlord ✭✭✭
Reactions
Comments
-
@NS2004 just a wild guess, do any of the certificates involved have a longer lifetime than 12 months (CA excluded)? Apple does a strict enforcment of the CA/B Forum rules and causing issues if Client/Server-Certs are valid for more than 390 days. Considering you're able to login with Credentials+MFA it shouldn't be a…
-
@rjbeswin this happened to me many times and was always related to Google Chrome, I had better luck with Firefox, which is my go to Browser managing SNWL appliances today. --Michael@BWC
-
@Chojin you can activate some notifications in your MySonicWall Account, word on the street is usually faster than the SNWL notifications but it's better than nothing. Log into MySonicWall, Settings -> My Account -> Alarm and check the Notifications you like. --Michael@BWC
-
Changing the Interface MTU to 1500 bumps the PMTU to 1492 as epxected, but this might be in conflict with VPN, need to play a bit further with it. IMHO the implementation is a bit wobbly, because MTU and PMTU should not differ, but for PPPoE on SNWL it's the case. --Michael@BWC
-
@emmotto then I have to throw the towel at this point, I'am somewhat 100% certain that it's FLB related, if possible for testing purposes remove X2 from FLB completly to see if this brings the routes back up. It might be a bug. When all LB States are marked as Available for all Interfaces then no route policy should be…
-
@emmotto did you saw my Update which I squeezed in? Does X2 has a LB Status "Available", if not this might result in your disabled Routes. --Michael@BWC
-
@emmotto is X3 configured in your Failover & Load Balancing Group? If yes, did you tried to remove it? What about manually adding the "default" routes again, will this work until SonicWall Support figures out why they are disabled? Did you logged in via ssh on the appliance and had a look at "show route-policies" to see if…
-
@jasni26 I never used Server DPI-SSL but is it possible that you upload a cert which contains both certs, your server cert + Sectigo Intermediate and have this bundle selected when configuring DPI-SSL? --Michael@BWC
-
@emmotto that's probably the explanation and my gibberish might put you in the right direction. IMHO you need 3 Default Rules to get an Interface properly working: IMHO Route #2 might be negligible, but #1 and #3 is a must and the Priority of these rules have to be lower (which is better) than another matching Route. Route…
-
@Robbert because we all need to keep cool down 😂 ... it's used for general announcements in the past, I think because of there is no such thing as a general Firewall category. Hopefully it was just a messed up signature and it got resolved by now. --Michael@BWC
-
@emmotto do I get this correct, when you ping the IP of X2 from the Internet you can see the "echo request" arriving on X2 but the "echo reply" leave the appliance on X3 according to the Packet Monitor? Did you double checked your Network Routes (sorted by Priority, All Types? It really sounds like there is a route that…
-
@DavidDellacenta all production units are still at 1492 and no problems (not using GVC though), I'am only wrapping my head around this weird implementation and will do VPN related research at a later point in time. This is strictly a discussion about the topic and no specific issue. --Michael@BWC
-
@Robbert where did you came across the global.sonicwall.com DNS request, I did some digging and wasn't able to find it in my lab environment👨🔬. If it's ZeroTouch related maybe it's because I disabled ZT on MSW, but I highly doubt that this request is usage dependent. I saw it mentioned on Reddit, but nowhere besides that.…
-
@DavidDellacenta maximum for the ping test is 1484 when X1 is set to 1492. I did not do any further research on that topic to examine some of the VPN related traffic. --Michael@BWC
-
@frank123 then we are talking site-to-site, I guess. It's either Site to Site or Tunnel Interface. Remote site: You defined a group object covering all local networks (including the GVC client network) and used that group as local network in your tunnel definition? Does the Active VPN Tunnel listing show multiple SAs…