7 Replies Latest reply on Nov 7, 2013 8:24 AM by noor

    NetVanta 3430 configuration with SonicWall TZ 210

    retech New Member

      We're currently trying to upgrade our internet service and have an existing SonicWall TZ 210 connected to a Cisco 2600 router for a single T1 connection.  Our new connection uses the same SonicWall but connects to an AdTran NetVanta 3430 with 2 T1s.  The configurations should be the same as we are keeping our existing ISP and external block of IP addresses.  The problem is as soon as we make the change over we loose the link (can no longer ping the internet from the sonicwall). Our ISP claims they can ping the internet from within the new Netvanta router so they believe its our firewall that's the problem yet if we change it all back (back to single T1 and cisco router) instantly everything works again.

       

      Has anyone heard of anything similar to this or is there something known to look for that might be missing or not provided within the new router to the sonicwall that would have been provided by the cisco before?

       

      I realize there are a lot of blanks to fill in but here's a few, all interfaces are exactly the same ip addresses on each router (old and new) and the only ip route statement in each router is a 0.0.0.0 0.0.0.0 route

       

      I can provide the configs for each router if that would be helpful.

       

      Also the Firewall gets a new entry from the new router in the ARP table so I know the firewall sees the new device...

       

      Thank you for your time.

        • Re: NetVanta 3430 configuration with SonicWall TZ 210
          jayh Hall_of_Fame

          Configurations would be useful.  Quick things to check for a minimal configuration:

           

          • Do you have the default route to the provider end of the multilink T1s ip route 0.0.0.0 0.0.0.0 www.xxx.yyy.zzz  ?
          • Is the firewall on the 3430 disabled no ip firewall ?
          • Can you ping both the Sonicwall (may need to enable it as a rule) and an external Internet address from the 3430?
          1 of 1 people found this helpful
            • Re: NetVanta 3430 configuration with SonicWall TZ 210
              retech New Member

              Thanks for the quick response.

               

              Should I attach the configs or paste them in to a reply?

               

              both have the same ip route 0.0.0.0 0.0.0.0 xx.yyy.z.137

               

              I don't see a line of just no ip firewall but there are two others that are similar "no ip firewall alg msn" and "no ip firewall alg h323"

              The firewall was one of my concerns when I read that this unit has that capabilities today.

               

              I just enabled ping response today on the sonicwall because we couldn't ping the external side of the sonicwall last night when we were trying to turn up and test.  The tech did claim that they could ping the internet address from the 3430.

               

              Message was edited by: retech -------------------------------------------------------------------------------------------------------------------------------------------

              AdTran NetVanta 3430 Config:

              !

              clock timezone 0

              clock no-auto-correct-DST

              !

              !

              ip subnet-zero

              ip classless

              ip routing

              !

              no auto-config

              !

              event-history on

              no logging forwarding

              no logging email

              !

              service password-encryption

              !

              !

              no ip firewall alg msn

              no ip firewall alg h323

              !

              no dot11ap access-point-controller

              !

              interface eth 0/1

              description LAN Block xxx.yyy.zz.192/27

              ip address xxx.yyy.zz.193  255.255.255.224

              no ip proxy-arp

              no shutdown

              no lldp send-and-receive

              !

              !

              interface eth 0/2

              description Not in USE!

              no ip address shutdown

              no lldp send-and-receive

              !

              interface t1 1/1

              description xxxxxxx

              tdm-group 1 timeslots 1-24 speed 64

              no shutdown

              !

              interface t1 1/2

              description xxxxxxx

              clock source through

              tdm-group 1 timeslots 1-24 speed 64

              no shutdown

              !

              interface ppp 1

              description xxxxxx

              ip address   xx.yyy.z.138     255.255.255.252

              ip ffe

              ppp multilink

              no shutdown

              cross-connect 1 t1 1/1 1 ppp 1

              cross-connect 2 t1 1/2 1 ppp 1

              !

              !

              ip access-list standard VtyAccess

              remark xxxxx

              permit xxx.yyy.zzz.128 0.0.0.127

              !

              !

              !

              ip route 0.0.0.0 0.0.0.0  xx.yyy.z.137

               

              !

              !

              no ip tftp server

              no ip tftp server overwrite

              no ip http server

              no ip http secure-server

              no ip snmp agent

              no ip ftp server

              ip ftp server default-filesystem flash

              no ip scp server

              no ip sntp server

              !

              !

              line con 0

              login local-userlist

              !

              line telnet 0

              4 login local-userlist

              no shutdown

              access-class VtyAccess in

              line ssh 0

              4 login local-userlist

              no shutdown

              access-class VtyAccess in

              !

              exit

              !

              ntp peer xxx.y.zz.28

              !

               

              Message was edited by: retech---------------------------------------------------------------------------------------------------------------------------------------------------------------

              Cisco 2600 Config:

              xxxxx#show config

              Using 1215 out of 29688 bytes

              !

              version 12.0

              service timestamps debug datetime localtime show-timezone

              service timestamps log datetime localtime show-timezone

              no service password-encryption

              !

              hostname xxxxx

              !

              logging buffered 8012 debugging

              enable password

              !

              !

              !

              !

              !

              memory-size iomem 25

              clock timezone CST -6

              clock summer-time CDT recurring

              ip subnet-zero

              no ip source-route

              no ip finger

              ip name-server xxx.yyy.z.65

              ip name-server xxx.yyy.z.65

              !

              isdn voice-call-failure 0

              !

              !

              !

              interface FastEthernet0/0

              description xxxxx

              ip address xxx.yyy.zz.193 255.255.255.224

              no ip directed-broadcast

              duplex auto

              speed auto

              !

              interface Serial0/0

              description xxxxx

              ip address xx.yyy.z.138 255.255.255.252

              no ip directed-broadcast

              no ip mroute-cache

              no fair-queue

              !

              interface BRI0/0

              no ip address

              no ip directed-broadcast

              shutdown

              isdn guard-timer 0 on-expiry accept

              !

              interface FastEthernet0/1

              no ip address

              no ip directed-broadcast

              shutdown

              duplex auto

              speed auto

              !

              ip classless

              ip route 0.0.0.0 0.0.0.0 xx.yyy.z.137

              no ip http server

              !

              !

              line con 0

              transport input none

              line aux 0

              line vty 0 4

              password login

              !

              ntp server xxx.yy.zz.1

              ntp server xxx.yy.zz.20

              no scheduler allocate

              end

                • Re: NetVanta 3430 configuration with SonicWall TZ 210
                  jayh Hall_of_Fame

                  Looks OK, you can try adding "no ip firewall" from the config prompt and see if that fixes it.

                   

                  Or, you can leave the firewall on with a simple ruleset.

                   

                  ip access-list standard allow-all-list

                    permit any

                   

                  ip access-list extended ether-in-list

                    permit ip any xxx.yyy.zz.192  0.0.0.31   ! < xxx.yy.zz is your LAN block here

                   

                  ip access-list extended ether-out-list

                    permit ip xxx.yyy.zz.192  0.0.0.31 any

                   

                  ip policy-class Public

                    allow list ether-in-list policy Ethernet

                    allow list allow-all-list self

                   

                  ip policy-class Ethernet

                    allow list ether-out-list policy Public

                    allow list allow-all-list self

                   

                  interface ppp 1

                  ip access-policy Public

                   

                  interface FastEthernet0/0

                    ip access-policy Ethernet

                   

                   

                  If all else fails, from the Adtran can you:

                  • ping both the Sonicwall and a host on the Internet
                  • paste "show ip route" output
                  • paste "show arp" output
                    • Re: NetVanta 3430 configuration with SonicWall TZ 210
                      retech New Member

                      Thanks for the additional options!

                      I will give those a try tonight again (can't switch back over until after 6pm CST due to use of the current setup).

                       

                      We did try putting in "no ip firewall' but it didn't do seem to change anything last night.

                       

                      From within the adtran we can ping the wan interface of the sonicwall and the internet, but I didn't know about the show ip route and show arp options.

                      From the sonicwall I can ping the eth interface of the adtran but not the ppp interface or beyond.

                      From my desktop (goes out a separate firewall and separate 3mb connection) I can ping the ppp interface of the adtran but it stops there when actually trying to ping the wan interface of the sonicwall (with the cisco I can trace route all the way through to the wan interface of the sonicwall).

                      From a test laptop that is set to only use this link (sonicwall set as gateway) we are trying to upgrade it stops at the network interface of the sonicwall when trying to ping my other 3mb connection (basically trace routing to an internet ip)  (with the cisco in place it trace routes all the way through to the other 3mb connection we have).  The cisco trace routes were done yesterday so I could provide my ISP with documentation supporting that it looks to be dropping in the adtran but they don't agree.

                       

                      Here's why they don't agree, we also connected a laptop just using the same static ip and subnet as the sonicwall has assigned and the laptop can get through the adtran to the internet?

                       

                      I'm starting to wonder what's really causing the issue here.  I am looking at the option of getting sonicwall support online to look at the sonicwall at the same time incase the sonicwall is dropping all packets from the adtran for some reason.

                       

                      Being a newbie here, I am wondering, can I mark your response as helpful and come back and mark it as correct if your options fix the issue tonight?

                       

                      Thanks again for all the help!

                        • Re: NetVanta 3430 configuration with SonicWall TZ 210
                          jayh Hall_of_Fame

                          retech wrote:

                          Here's why they don't agree, we also connected a laptop just using the same static ip and subnet as the sonicwall has assigned and the laptop can get through the adtran to the internet?

                           

                          I'm starting to wonder what's really causing the issue here.  I am looking at the option of getting sonicwall support online to look at the sonicwall at the same time incase the sonicwall is dropping all packets from the adtran for some reason.

                           

                           

                          Oh really!  Check if there's a static ARP entry in the Sonicwall for the Cisco.  I'm not a Sonicwall expert so can't advise exactly where to look for this but it sounds like you're on to it.  Typical ARP timeout I think is 20 minutes for Sonicwall.  You may have to either reboot the Sonicwall or wait, or try a ping from the Adtran to give it an ARP.

                           

                          Alternatively, unless you need some features unique to the Sonicwall consider removing it and using the Adtran as the firewall as well as Internet router.

                           

                          Curiously, Adtran was at one point private-branding Sonicwalls under the Adtran label but I think they recently dropped them.

                          1 of 1 people found this helpful
                            • Re: NetVanta 3430 configuration with SonicWall TZ 210
                              retech New Member

                              I have been look at the ARP table on the sonicwall and flushing the arp cache and then pinging the adtran does result in a new mac address (different than the cisco) arp entry.  We also tried using the cisco's mac address in the adtran to fake out the sonicwall but that made no difference either.

                               

                              I would switch out the sonicwall but it is a unique situation where I was able to get some vpn voip Avaya phones to connect through the sonicwall (remote agents) and even the phone techs from the company we bought the system from have no idea how I got it to work so changing to the adtran's firewall wouldn't be ideal for us, nor for the fact that we are leasing the adtran from the ISP so I don't/wouldn't have access to make changes as needed to that firewall as I do from time to time.

                               

                              I'll see where I get with sonicwall's support (so far not so helpful but it was a quick conversation more about whether or not there are known issues between adtran's and sonicwalls but basically they suggested these: check status which I had told them says connected and full duplex, check arp which I had told them I already made sure it was a new entry, and reboot which both devices we had tried this on many times before).

                               

                              Thanks again for the help!

                                • Re: NetVanta 3430 configuration with SonicWall TZ 210
                                  Employee

                                  retech -

                                  I went ahead and flagged this post as "Assumed Answered". If any of the responses on this thread assisted you, please mark them as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you have any additional information on this that others may benefit from, please come back to this post to provide an update. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


                                  Thanks,

                                  Noor