We have a pair of NSA5600's in a HA setup. We've been having a recurring issue where every once in a while we lose complete WAN connectivity - 100% of WAN traffic stops flowing. During these periods I've noticed various flood protection items start showing up in the logs. Seems most of it is legit traffic that the Sonicwall is just picking up as a flood all of a sudden.
That's fine... but my issue is why is this causing a complete shutdown of WAN traffic? We have WAN management setup on the Sonicwall and I can't even access the web management UI from outside. I have to go in a backdoor and access it from the LAN interface, which works fine. My understanding of the TCP and ICMP flood protections on the Sonicwall is that it should only be blocking traffic from specific devices it detects a flood from. Yet that's not the case - ALL WAN traffic ceases from ANY outside device. The second I deactivate flood protection, WAN traffic resumes.
Now, I called Sonicwall support on this, and I was told that what's happening is the flood is causing the CPU to spike so much that the Sonicwall can't pass traffic, and this is why all WAN traffic is stopping. I told them I've checked the CPU during these times and it's not high at all. He then changed his response to, "well, it's the number of packets per second is too high". None of these responses satisfy me. Regardless of if that were actually a problem (and I don't think it is, these are higher end units capable of passing MUCH more traffic through them than we're doing), to me traffic would at least be intermittent during these times. It wouldn't be completely shut down.
So for the time being I have flood protections completely shut down, and we're not having any issues. But I'm not satisfied with Sonicwall's explanation for the issue what-so-ever. Has anyone else ever had any experience with this?
No comments:
Post a Comment