Sonicwall Issues

By fusi0n
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

fusi0n

Posted
Posted

I am having issues with a Sonicwall kicking out some SSL connections. Connects like to facebook and twitter, work fine.. However, some banks and another site, will login, then say "session timed out". I am not filtering any HTTPS traffic. Any help or direction would be amazing.. 

Thanks!

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

And you sure its just not a session time out, banks normally have very low session times, have seen as low as minute.

Link to comment
Share on other sites
Grand Master

fusi0n

Posted
  • Author
Posted

And you sure its just not a session time out, banks normally have very low session times, have seen as low as minute.

This is happening on multiple computers, including mine. I've seen many different places in the sonicwall for HTTPS session limit and it is set to 15 minutes, the UDP is set to 30 seconds, but it doesn't like when you change it.. I can try to manually add these rules..

 

Are you doing load balancing?

I am doing load balancing.. I have tried turning off one circuit, but the same problem is still there..

Link to comment
Share on other sites
Grand Master

fusi0n

Posted
  • Author
Posted

Are you doing load balancing?

I have the Sonicwall in a Round Robin with the two DSL Circuits.. I took out one of the circuits, and it works find.. Now I need to figure out how to do LB without breaking SSL.. Also, thanks.

Link to comment
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Who said it was your timeout?  We have login's to firewalls that timeout in 60 seconds if you don't do anything for example. Banks are not going to be one to leave your session open for 30 minutes if don't do anything etc.. That is a huge security issue.

 

Yes have seen were users complain, complain to the bank, etc.  not the firewall settings.

Link to comment
Share on other sites
Grand Master

fusi0n

Posted
  • Author
Posted

Who said it was your timeout?  We have login's to firewalls that timeout in 60 seconds if you don't do anything for example. Banks are not going to be one to leave your session open for 30 minutes if don't do anything etc.. That is a huge security issue.

 

Yes have seen were users complain, complain to the bank, etc.  not the firewall settings.

No one said it was for sure a timeout issue.. The users would just login and be instantly kicked out saying "session timed out".. Taking that circuit out of the LB, seems to fix the issue, but now half my bandwith is gone.. :/

Link to comment
Share on other sites
Community Regular

Zinomian

Posted
Posted

 You cant use Experts-exchange.com for answers, since that is a paid website and you cant see the answer or entire thread with info.

 

Round robin shouldnt break website time-outs, only the ratio base LB would.  Any security services enabled? if so, disabled them for a short while and test.  Any other odd changes you may have made lately? firmware update?

Link to comment
Share on other sites
Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

I have an account :p

 

 

 

the best way I know how is to force https traffic through one connection. The regular traffic gets balanced nicely.

According to this:
http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/WAN_Failover_Load_Balancing.htm

percentage based load balancing is the one that has "Source and Destination IP Addresses Binding"

 

 

the link above shares the available options...

But thought just like to reiterate under default probe monitor, Sonicwall performs an ICMP probe of both WAN ports' default gateways. this is not an assured means of link monitor as service interruption may be occuring upstream. E.g. If ISP is experiencing problem in its routing infra, a successful ping can cause false impression that the line is usable. So for reliable link monitor (as suggested in the link) for each WAN port choose two targets, TCP is preferred since ICMP may drop or block it. E.g.
> set first probe target of ISP routerusing ICMP (assume they allow)
> set secondary probe target DNS server on public internet using TCP Port 53

As for session persistency, I couldnt see any real persistency as it is still based on which is the most available and rate limited the path according using the percentage based link assignment. There is also more on Bandwidth mgmt which is another big topic using GWM with its link credit token to prioritise the usage of over bandwidth for certain services like FTP, H323, VNC etc. If you need to go further than this into considering cost link factor, you would want to explore real link load balancer such as radware linkproof or F5 link loadbalancer.

Another which you stated on metric, I see it as exploring into dynamic route recalculation based on interface availability. This is to better support redundant or multiple path adv routing configuration. That is another big topic to be familiar with OSPF, RIP etc.

Actually Sonicwall also support Policy Based Routing (PBR) which can have two policy-based routes that force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and forces all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.

http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/Routing.htm

Not really an expert in these area but I will say the guide does help to kickstart ...

 

 

 I've set up the Sonicwall with Ratio based Load balance algo as per the above's solution and could remove all static routes while still being able to connect to https sites on all uplinks. I did check the "Source and Destination IP Addresses Binding" that becomes available when choosing Ratio based load balance. Thanks again for your time and expertise.

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.