Multiple firewalls on same public subnet

Hi

I have a /29 subnet provided by ISP and on this i have 2 x USG40 (ours) and 1 x sonicwall (not ours) with setup as follows

ISP managed Cisco gateway 92.208.175.193/29

Sonicwall 92.208.175.194/29

USG40 92.208.175.197/29

USG40 92.208.175.198/29

the problem is if the USG's lose power or WAN link they will not reconnect whilst the Sonicwall is online. Disconnect the Sonicwall and refresh the WAN link they connect ok, reconnect Sonicwall and all 3 work fine until USG's loses power or WAN link.

Anybody any ideas

Comments

  • Ian31Ian31 Member Posts: 118  Ally Member

    I'm wondering if SonicWall has proxy arp behavior.

    Here something you can check,

    1.On USG40 using CLI,

    # ping 92.208.175.193

    # show arp-table, to check if you get the right MAC address of Cisco gateway


    2.On USG40 GUI, capture wan interface traffic

    Go to MAINTENANCE -> Diagnostics -> Packet Capture

    select you wan interface, click Capture button for 5 mins. and click Stop

    Check the packets if SonicWall reply arp as for the Cisco gateway IP 92.208.175.193

    Zyxel_Cooldia
  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 538  mod
    edited August 21, 2019 4:53PM

    @lan31, Thanks for the instruction.

    Hi @Darren

    Welcome to Zyxel Community. 😊

    You can follow lan31 instruction to troubleshoot this issue. 

    Here is the CLI for your reference if you want capture packets in real time.

    Router> packet-trace interface wan extension-filter arp -e

  • DarrenDarren Member Posts: 3

    Thanks Ian31/Zyxel_Cooldia

    Looking at the packet trace 12:33:11 i can see the USG40 on bc:99:11 send an ARP which is replied by Cisco on f0:7f:06 which is what i would expect to see. Any ideas

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 538  mod

    Hi @Darren ,

    It looks like layer 2 issue. Does USG and Sonicwall connect to cisco gateway directly?

    Can you do the same test again, and post 3 devices show ARP table result.

    Here we would like to see ARP tables of USG, Sonicwall, and Cisco gateway during the test.


    USG CLI:

    Router> show arp-table

  • DarrenDarren Member Posts: 3







    Above is the 2 x USG's


    Below is the Sonicwall

    https://us.v-cdn.net/6029482/uploads/920/NM4FD4VVQNPN.png There was an error displaying this embed.








    Below is the arp table for CES00011087 92.207.175.193 Cisco

    Internet 92.207.175.193         -  f07f.0694.154f ARPA  Vlan10

    Internet 92.207.175.194         6  18b1.693e.0119 ARPA  Vlan10

    Internet 92.207.175.195         2  18b1.693e.0119 ARPA  Vlan10

    Internet 92.207.175.196       223  18b1.693e.0119 ARPA  Vlan10

    Internet 92.207.175.197         3  bc99.11c5.1712 ARPA  Vlan10

    Internet 92.207.175.198         0  bc99.11d6.37d9 ARPA  Vlan10

    Hi Zyxel_Cooldia

    Please see ARP tables

    All 3 devices are connected to a Netgear switch (plug and play)

    My concern here is that the USG's show the Sonicwall MAC for their own IP and the Sonicwall

    shows entries for 195 & 196 which are spare IP's and not assigned to any service on the Sonicwall or so Sonicwall people tell me.

  • Zyxel_CooldiaZyxel_Cooldia Zyxel Official Agent Posts: 538  mod

    Hi @Darren

    Each devices’ ARP table are match from your screenshot. It looks good at layer 2. 

    In this situation, If you ping from USG40 lan side host to Cisco gateway IP 92.208.175.193 and 8.8.8.8

    Does the Cisco gateway reply with ICMP request? If you capture packets on USG wan interface. 

    Can you see the ICMP request and reply on USG40 WAN interface?

Sign In to comment.