Multiple firewalls on same public subnet

Darren
Darren Posts: 7
First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Nebula
edited April 2021 in Security

Hi

I have a /29 subnet provided by ISP and on this i have 2 x USG40 (ours) and 1 x sonicwall (not ours) with setup as follows

ISP managed Cisco gateway 92.208.175.193/29

Sonicwall 92.208.175.194/29

USG40 92.208.175.197/29

USG40 92.208.175.198/29

the problem is if the USG's lose power or WAN link they will not reconnect whilst the Sonicwall is online. Disconnect the Sonicwall and refresh the WAN link they connect ok, reconnect Sonicwall and all 3 work fine until USG's loses power or WAN link.

Anybody any ideas

Comments

  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer

    I'm wondering if SonicWall has proxy arp behavior.

    Here something you can check,

    1.On USG40 using CLI,

    # ping 92.208.175.193

    # show arp-table, to check if you get the right MAC address of Cisco gateway


    2.On USG40 GUI, capture wan interface traffic

    Go to MAINTENANCE -> Diagnostics -> Packet Capture

    select you wan interface, click Capture button for 5 mins. and click Stop

    Check the packets if SonicWall reply arp as for the Cisco gateway IP 92.208.175.193

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited August 2019

    @lan31, Thanks for the instruction.

    Hi @Darren

    Welcome to Zyxel Community. ?

    You can follow lan31 instruction to troubleshoot this issue. 

    Here is the CLI for your reference if you want capture packets in real time.

    Router> packet-trace interface wan extension-filter arp -e

  • Darren
    Darren Posts: 7
    First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Nebula

    Thanks Ian31/Zyxel_Cooldia

    Looking at the packet trace 12:33:11 i can see the USG40 on bc:99:11 send an ARP which is replied by Cisco on f0:7f:06 which is what i would expect to see. Any ideas

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Darren ,

    It looks like layer 2 issue. Does USG and Sonicwall connect to cisco gateway directly?

    Can you do the same test again, and post 3 devices show ARP table result.

    Here we would like to see ARP tables of USG, Sonicwall, and Cisco gateway during the test.


    USG CLI:

    Router> show arp-table

  • Darren
    Darren Posts: 7
    First Anniversary Friend Collector First Comment Zyxel Certified Network Administrator - Nebula







    Above is the 2 x USG's


    Below is the Sonicwall








    Below is the arp table for CES00011087 92.207.175.193 Cisco

    Internet 92.207.175.193         -  f07f.0694.154f ARPA  Vlan10

    Internet 92.207.175.194         6  18b1.693e.0119 ARPA  Vlan10

    Internet 92.207.175.195         2  18b1.693e.0119 ARPA  Vlan10

    Internet 92.207.175.196       223  18b1.693e.0119 ARPA  Vlan10

    Internet 92.207.175.197         3  bc99.11c5.1712 ARPA  Vlan10

    Internet 92.207.175.198         0  bc99.11d6.37d9 ARPA  Vlan10

    Hi Zyxel_Cooldia

    Please see ARP tables

    All 3 devices are connected to a Netgear switch (plug and play)

    My concern here is that the USG's show the Sonicwall MAC for their own IP and the Sonicwall

    shows entries for 195 & 196 which are spare IP's and not assigned to any service on the Sonicwall or so Sonicwall people tell me.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Darren

    Each devices’ ARP table are match from your screenshot. It looks good at layer 2. 

    In this situation, If you ping from USG40 lan side host to Cisco gateway IP 92.208.175.193 and 8.8.8.8

    Does the Cisco gateway reply with ICMP request? If you capture packets on USG wan interface. 

    Can you see the ICMP request and reply on USG40 WAN interface?

Security Highlight