Equipment (Modems,Gateways)
Modems, Gateways, and Networking Devices
Male IT Specialist Holds Laptop and Discusses Work with Female Server Technician. They're Standing in Data Center, Rack Server Cabinet is Open.
Highlighted
New Member

Sonicwall Global VPN Client bug in Netgear Cable Modems

We just resolved a problem that appeared about two weeks ago by swapping out our cable modem.  We have a SonicWall firewall with a static IP behind our cable modem configured with inbound VPN access using the Sonicwall Global VPN client.  About two weeks ago, the inbound VPN access quit working and the remote clients would receive a peer did not respond error. After testing that the VPN on the Sonicwall was still working properly and monitoring inbound packets, we suspected that the cable modem was somehow intercepting or dropping the VPN negotiation requests sent by the remote clients. Trying to get a support technician to believe us was pretty difficult though.  Why would everything else still work?  We also have inbound SMTP, HTTP, HTTPS, and also Microsoft VPN traffic all forwarded from the same public static ip by the same Sonicwall and all still worked as well as all outbound traffic.  Only the Sonicwall GVC was not working.  We also have several sites all on Comcast Business Class all with Sonicwall firewalls and all the VPNs were working except this one. Then, two days later, the same thing started happening at a second site. What did the two sites have in common?  Both had Netgear Cable Modems the rest have SMC. Could it have been a recent firmware update?  Well, we just swapped the cable modem at one site for an SMC and the problem was instantly fixed.  Going to be doing the second site tomorrow.  Hope this helps someone else from beating their head against a wall. No you are not going crazy. Netgear Cable Modem + Sonicwall GVC = 😞

 

0 Kudos
1 REPLY 1
Highlighted
Trusted Forum Contributor

Re: Sonicwall Global VPN Client bug in Netgear Cable Modems

Hello Jeb and welcome,

 

Very interesting post, however, would be interested in some additional clarity on some of your your NetGear 3000 (NG3K) and SonicWall configuration parameters as follows:


NG3K Ports Open:

 

1. Did you have any of the PPTP VPN connections port open TCP port 1723 or  PPTP IP port 47 for tunneling data and designed GRE packets open? 

2. Did you have L2TP VPN connections,  UDP port 500 for IKE traffic and UDPport 1701 for L2TP traffic open?

 

SonicWall:

 

1. Do you have load balancing enabled?

 

I am asking the above questions because sometimes the Comcast gateways running in staticIP gateway mode have seldomly intermittent StaticIP firewall disablement issues. I have found that specifically insuring that only the staticIP Port in your case specific requirement, will definitely resolve the permanent opening of the ports that are required and maximizes the overall security at the same time. Yhis can be implemented on any Comcast Gateway by the following:

a.) Log into the NG3K or any Gateway

 

b.) click on firewall, then click on the disable true staticIP firewall check mark to enable the firewall.

 

c.) next click on the Port Configuration Tab, then click on true StaticIP port management link

 

d.) there will be a dropdown and I always recommend for maximum security reasons to use the <block all ports with the following exceptions>. This will ensure that ONLY the ports you want on any of your specific routable StaticIP devices are definitively open.

 

e.) click on add, then populate the public and private ports range with the (or those) port(s) you need to be open, and the specific routable staticIP device that the port(s) are required to be opened on. 

 

I have also found that on Sonicwall firewalls if the load balancing is enabled then this can cause inadvertent packet loss between the Sonicwall and the Comcast Gateway. This is typically a direct function of the Sonicwall internal load balancing trying to make sure that all devices are obtaining equitable packet transactional processing. So in doing so, if your VPN device is too heavily consuming transactional processing it could inadvertently inject packet loss for load balancing reasons.

 

Hope this helps you and others out.