• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Sonicwall Issues

Question

+fusi0n    2,137

I am having issues with a Sonicwall kicking out some SSL connections. Connects like to facebook and twitter, work fine.. However, some banks and another site, will login, then say "session timed out". I am not filtering any HTTPS traffic. Any help or direction would be amazing.. 

Thanks!

Share this post


Link to post
Share on other sites

11 answers to this question

Recommended Posts

  • 0
sc302    1,792

I have an account :p

 

 

 

the best way I know how is to force https traffic through one connection. The regular traffic gets balanced nicely.

According to this:
http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/WAN_Failover_Load_Balancing.htm

percentage based load balancing is the one that has "Source and Destination IP Addresses Binding"

 

 

the link above shares the available options...

But thought just like to reiterate under default probe monitor, Sonicwall performs an ICMP probe of both WAN ports' default gateways. this is not an assured means of link monitor as service interruption may be occuring upstream. E.g. If ISP is experiencing problem in its routing infra, a successful ping can cause false impression that the line is usable. So for reliable link monitor (as suggested in the link) for each WAN port choose two targets, TCP is preferred since ICMP may drop or block it. E.g.
> set first probe target of ISP routerusing ICMP (assume they allow)
> set secondary probe target DNS server on public internet using TCP Port 53

As for session persistency, I couldnt see any real persistency as it is still based on which is the most available and rate limited the path according using the percentage based link assignment. There is also more on Bandwidth mgmt which is another big topic using GWM with its link credit token to prioritise the usage of over bandwidth for certain services like FTP, H323, VNC etc. If you need to go further than this into considering cost link factor, you would want to explore real link load balancer such as radware linkproof or F5 link loadbalancer.

Another which you stated on metric, I see it as exploring into dynamic route recalculation based on interface availability. This is to better support redundant or multiple path adv routing configuration. That is another big topic to be familiar with OSPF, RIP etc.

Actually Sonicwall also support Policy Based Routing (PBR) which can have two policy-based routes that force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and forces all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.

http://help.mysonicwall.com/sw/eng/305/ui2/23100/Network/Routing.htm

Not really an expert in these area but I will say the guide does help to kickstart ...

 

 

 I've set up the Sonicwall with Ratio based Load balance algo as per the above's solution and could remove all static routes while still being able to connect to https sites on all uplinks. I did check the "Source and Destination IP Addresses Binding" that becomes available when choosing Ratio based load balance. Thanks again for your time and expertise.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,737

And you sure its just not a session time out, banks normally have very low session times, have seen as low as minute.

Share this post


Link to post
Share on other sites
  • 0
Zinomian    173

Are you doing load balancing?

Share this post


Link to post
Share on other sites
  • 0
+fusi0n    2,137

And you sure its just not a session time out, banks normally have very low session times, have seen as low as minute.

This is happening on multiple computers, including mine. I've seen many different places in the sonicwall for HTTPS session limit and it is set to 15 minutes, the UDP is set to 30 seconds, but it doesn't like when you change it.. I can try to manually add these rules..

 

Are you doing load balancing?

I am doing load balancing.. I have tried turning off one circuit, but the same problem is still there..

Share this post


Link to post
Share on other sites
  • 0
remixedcat    2,778

does your firewall also have a WAN accleration cache?

Share this post


Link to post
Share on other sites
  • 0
+fusi0n    2,137

Are you doing load balancing?

I have the Sonicwall in a Round Robin with the two DSL Circuits.. I took out one of the circuits, and it works find.. Now I need to figure out how to do LB without breaking SSL.. Also, thanks.

Share this post


Link to post
Share on other sites
  • 0
+BudMan    3,737

Who said it was your timeout?  We have login's to firewalls that timeout in 60 seconds if you don't do anything for example. Banks are not going to be one to leave your session open for 30 minutes if don't do anything etc.. That is a huge security issue.

 

Yes have seen were users complain, complain to the bank, etc.  not the firewall settings.

Share this post


Link to post
Share on other sites
  • 0
+fusi0n    2,137

Who said it was your timeout?  We have login's to firewalls that timeout in 60 seconds if you don't do anything for example. Banks are not going to be one to leave your session open for 30 minutes if don't do anything etc.. That is a huge security issue.

 

Yes have seen were users complain, complain to the bank, etc.  not the firewall settings.

No one said it was for sure a timeout issue.. The users would just login and be instantly kicked out saying "session timed out".. Taking that circuit out of the LB, seems to fix the issue, but now half my bandwith is gone.. :/

Share this post


Link to post
Share on other sites
  • 0
Zinomian    173

 You cant use Experts-exchange.com for answers, since that is a paid website and you cant see the answer or entire thread with info.

 

Round robin shouldnt break website time-outs, only the ratio base LB would.  Any security services enabled? if so, disabled them for a short while and test.  Any other odd changes you may have made lately? firmware update?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.