Wednesday, April 10, 2013

Sonic Wall NSA 4500 Firewall: SSO And Port 80 (HTTP) Only Drops Intermittently

Picture this if you will.  You have 100 or so computers/devices on the network, as well as wireless access.  All wired computers and hosted phones work great, with the exception of one wired computer.  It seems to have this one issue where when you do something on port 80 (HTTP), it works great for about 2 minutes, then it drops out for about 10 to 15 seconds.  Then it works great again for about 2 minutes.  Then drops out again.  Back and forth, it never stops.  And it IS only port 80 traffic.  Nothing else.  No, its not a DNS issue, since I can do a constant ping to www.google.com in cmd.  Guess what, the fire alarm monitoring system does the same thing as well, except they are sending a UDP packet, on port 80, out to a public IP address.  They get alarms every two minutes, then it clears up.  Then they get alarms, then it clears up.  Back and forth.  Oh yeah, the guest wireless has that same issue as well.  They have a Brocade environment sitting behind a SonicWall 4500 (in HA mode).  This is a very odd problem.
As it turns out, I found the problem to be in the firewall.  I reasoned that since I could get to the web GUI on the SonicWall while I could not get to www.google.com (when the problem happened).  I think thats logical.  So I called up SonicWall, who was NOT real willing to be helpful.  By taking a packet capture off the firewall, I proved to SonicWall tech support that their firewall was the problem.  You see, the same traffic which is allowed is also blocked.  You see it being blocked below, then allowed.  No difference in source, destination, port, etc.  All the same.  See below.
 Here is a text version of the packet capture, you compare the two:
===============
Dropped Header

Ethernet Header
 Ether Type: IP(0x800), Src=[00:24:38:c2:56:00], Dst=[02:17:c5:d8:36:44]
IP Packet Header
 IP Type: UDP(0x11), Src=[10.168.6.10], Dst=[12.29.157.29]
UDP Packet Header
 Src=[80], Dst=[80], Checksum=0xb7bb, Message Length=64 bytes
Application Header
 HTTP:
Value:[0]
DROPPED, Drop Code: 39, Module Id: 26, (Ref.Id: _4719_uyHtJcpfngKrRmv) 1:0)

===============
Allowed Header

Ethernet Header
 Ether Type: IP(0x800), Src=[00:24:38:c2:56:00], Dst=[02:17:c5:d8:36:44]
IP Packet Header
 IP Type: UDP(0x11), Src=[10.168.6.10], Dst=[12.29.157.29]
UDP Packet Header
 Src=[80], Dst=[80], Checksum=0xd698, Message Length=80 bytes
Application Header
 HTTP:
Value:[1]
Forwarded 5:2)

So I have SonicWall tech support telling me it is NOT their problem.  Its the network.  Ok, LOOK AT THIS CAPTURE!  Are you kidding me?  I was nice, but I had to argue with this guy that it was a firewall issue.  I have no ACLs on the core switch.  Nothing on the internal network would cause this.  But again, look at this capture.  I sent him the wireshark capture.  I sent him this screenshot, and he still says its wasnt his problem.
Well, when I finally convince him it IS his problem, he has to get a senior tech to look at it with him.  The senior tech ends up telling me is a SSO (single sign on) issue.  It turns out that since these particular computers and fire alarm monitoring system does not actually log into AD, for some reason the SonicWall behaves the way I described above. 
So here is what I did to fix the issue.  This was provided to me by the SonicWall tech support.  Man, I am not a SonicWall fan.
Posted by

9 comments:

  1. NanderAugust 22, 2013 at 12:21 PM

    Hi Brother!
    What are you SSO agent version ??

    Let me know it please.

    ReplyDelete
    Replies
    1. ShaneAugust 22, 2013 at 6:47 PM

      Hi Nander. I do not recall. Ive never done any SonicWall firewall work until this unit. I didnt even think to check the version.

      Delete
  2. NanderAugust 22, 2013 at 12:26 PM

    Another Thing....

    What kind are you using port 80 with UDP protocol ?

    ReplyDelete
  3. NanderAugust 23, 2013 at 8:45 AM

    Oh Sorry about that.

    But in your LOGs, the Drop packet are UDP in port 80. Did you check this?

    maybe it's a another kind of problem.

    Att
    Ernander
    Certified SonicWall Security Administrator

    ReplyDelete
    Replies
    1. ShaneAugust 25, 2013 at 10:49 PM

      Well, that is interesting. Im trying to recall what I was doing. Im can recall for sure what they were trying to send to the remote site, but you are right, it does say UDP in the log file. However, I couldnt even go to yahoo.com or anything like that. It was really strange to me, but I dont recall doing any UDP traffic. Interestingly though, the example packets show UDP. Ill have to think about that one. Again, all I did was regular web traffic to test with, so Im not sure why it shows up as UDP.

      Delete
  4. AnonymousNovember 26, 2013 at 8:38 PM

    Not sure if it is still an issue with you or not, but I found a solution on another Blogger's page. Not certain why it works (or why the whitelist feature doesn't work 100% of the time) but according to "Clyde" the module in "CFS" where it says "Enable HTTPS Content Filtering" causes the issue that you were mentioning. I turned it off (to my dismay) and it did work 100% of the time.

    ReplyDelete
    Replies
    1. ShaneNovember 26, 2013 at 9:43 PM

      Good info Stephen. Thank you. The 'fix the issue' link is what I did to fix it. But your post will help others. Thank you again.

      Delete
  5. AnonymousMarch 27, 2015 at 10:56 AM

    Good Stuff!!! Helped me out with a scan-to-email issue we were having. Added the printers to the white list and worked like a charm!!

    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)