Multiple firewalls on same public subnet
Freshman Member
Hi
I have a /29 subnet provided by ISP and on this i have 2 x USG40 (ours) and 1 x sonicwall (not ours) with setup as follows
ISP managed Cisco gateway 92.208.175.193/29
Sonicwall 92.208.175.194/29
USG40 92.208.175.197/29
USG40 92.208.175.198/29
the problem is if the USG's lose power or WAN link they will not reconnect whilst the Sonicwall is online. Disconnect the Sonicwall and refresh the WAN link they connect ok, reconnect Sonicwall and all 3 work fine until USG's loses power or WAN link.
Anybody any ideas
Comments
-
I'm wondering if SonicWall has proxy arp behavior.
Here something you can check,
1.On USG40 using CLI,
# ping 92.208.175.193
# show arp-table, to check if you get the right MAC address of Cisco gateway
2.On USG40 GUI, capture wan interface traffic
Go to MAINTENANCE -> Diagnostics -> Packet Capture
select you wan interface, click Capture button for 5 mins. and click Stop
Check the packets if SonicWall reply arp as for the Cisco gateway IP 92.208.175.193
1 -
@lan31, Thanks for the instruction.
Hi @Darren
Welcome to Zyxel Community. ?
You can follow lan31 instruction to troubleshoot this issue.
Here is the CLI for your reference if you want capture packets in real time.
Router> packet-trace interface wan extension-filter arp -e
0 -
Thanks Ian31/Zyxel_Cooldia
Looking at the packet trace 12:33:11 i can see the USG40 on bc:99:11 send an ARP which is replied by Cisco on f0:7f:06 which is what i would expect to see. Any ideas
0 -
Hi @Darren ,
It looks like layer 2 issue. Does USG and Sonicwall connect to cisco gateway directly?
Can you do the same test again, and post 3 devices show ARP table result.
Here we would like to see ARP tables of USG, Sonicwall, and Cisco gateway during the test.
USG CLI:
Router> show arp-table
0 -
Above is the 2 x USG's
Below is the Sonicwall
Below is the arp table for CES00011087 92.207.175.193 Cisco
Internet 92.207.175.193 - f07f.0694.154f ARPA Vlan10
Internet 92.207.175.194 6 18b1.693e.0119 ARPA Vlan10
Internet 92.207.175.195 2 18b1.693e.0119 ARPA Vlan10
Internet 92.207.175.196 223 18b1.693e.0119 ARPA Vlan10
Internet 92.207.175.197 3 bc99.11c5.1712 ARPA Vlan10
Internet 92.207.175.198 0 bc99.11d6.37d9 ARPA Vlan10
Please see ARP tables
All 3 devices are connected to a Netgear switch (plug and play)
My concern here is that the USG's show the Sonicwall MAC for their own IP and the Sonicwall
shows entries for 195 & 196 which are spare IP's and not assigned to any service on the Sonicwall or so Sonicwall people tell me.
0 -
Hi @Darren
Each devices’ ARP table are match from your screenshot. It looks good at layer 2.
In this situation, If you ping from USG40 lan side host to Cisco gateway IP 92.208.175.193 and 8.8.8.8
Does the Cisco gateway reply with ICMP request? If you capture packets on USG wan interface.
Can you see the ICMP request and reply on USG40 WAN interface?
0
Master Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
