Multiple firewalls on same public subnet


I have a /29 subnet provided by ISP and on this i have 2 x USG40 (ours) and 1 x sonicwall (not ours) with setup as follows

ISP managed Cisco gateway




the problem is if the USG's lose power or WAN link they will not reconnect whilst the Sonicwall is online. Disconnect the Sonicwall and refresh the WAN link they connect ok, reconnect Sonicwall and all 3 work fine until USG's loses power or WAN link.

Anybody any ideas


  • Ian31Ian31 Member Posts: 137  Ally Member

    I'm wondering if SonicWall has proxy arp behavior.

    Here something you can check,

    1.On USG40 using CLI,

    # ping

    # show arp-table, to check if you get the right MAC address of Cisco gateway

    2.On USG40 GUI, capture wan interface traffic

    Go to MAINTENANCE -> Diagnostics -> Packet Capture

    select you wan interface, click Capture button for 5 mins. and click Stop

    Check the packets if SonicWall reply arp as for the Cisco gateway IP

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 693  mod
    edited August 21, 2019 4:53PM

    @lan31, Thanks for the instruction.

    Hi @Darren

    Welcome to Zyxel Community. 😊

    You can follow lan31 instruction to troubleshoot this issue. 

    Here is the CLI for your reference if you want capture packets in real time.

    Router> packet-trace interface wan extension-filter arp -e

  • DarrenDarren Member Posts: 3

    Thanks Ian31/Zyxel_Cooldia

    Looking at the packet trace 12:33:11 i can see the USG40 on bc:99:11 send an ARP which is replied by Cisco on f0:7f:06 which is what i would expect to see. Any ideas

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 693  mod

    Hi @Darren ,

    It looks like layer 2 issue. Does USG and Sonicwall connect to cisco gateway directly?

    Can you do the same test again, and post 3 devices show ARP table result.

    Here we would like to see ARP tables of USG, Sonicwall, and Cisco gateway during the test.

    USG CLI:

    Router> show arp-table

  • DarrenDarren Member Posts: 3

    Above is the 2 x USG's

    Below is the Sonicwall

    Below is the arp table for CES00011087 Cisco

    Internet         -  f07f.0694.154f ARPA  Vlan10

    Internet         6  18b1.693e.0119 ARPA  Vlan10

    Internet         2  18b1.693e.0119 ARPA  Vlan10

    Internet       223  18b1.693e.0119 ARPA  Vlan10

    Internet         3  bc99.11c5.1712 ARPA  Vlan10

    Internet         0  bc99.11d6.37d9 ARPA  Vlan10

    Hi Zyxel_Cooldia

    Please see ARP tables

    All 3 devices are connected to a Netgear switch (plug and play)

    My concern here is that the USG's show the Sonicwall MAC for their own IP and the Sonicwall

    shows entries for 195 & 196 which are spare IP's and not assigned to any service on the Sonicwall or so Sonicwall people tell me.

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 693  mod

    Hi @Darren

    Each devices’ ARP table are match from your screenshot. It looks good at layer 2. 

    In this situation, If you ping from USG40 lan side host to Cisco gateway IP and

    Does the Cisco gateway reply with ICMP request? If you capture packets on USG wan interface. 

    Can you see the ICMP request and reply on USG40 WAN interface?

Sign In to comment.