|
|
Joined: Nov 2009
Posts: 237
Member
|
OP
Member
Joined: Nov 2009
Posts: 237 |
Have a customer with three sites, two of which have dynamic IPs (main site with server has a static). We have SonicWALLs at all three sites creating tunnels from each site to the other.
One of the dynamic sites lost their connectivity to the main site. It turns out the dynamic site had their address change from 50.x.x.x to 184.x.x.x. The SonicWALL shown the tunnel as still being up and I was able to ping devices on the remote networks on both firewalls (of course, normal network traffic wouldn't pass). I reconfigure the tunnels with the new dynamic IP and everything goes back to normal.
Fast forward a week later and the telco assigned them the previous 50.x.x.x dynamic IP and sure enough the tunnel stayed up, pings worked, but nothing else really did.
Has anyone encountered this type of weirdness where a tunnel is up and basic communications work after an IP change?
I was thinking that somehow the telco maybe using an older routing table or some type of redirection until I realized they were on different ISPs.
Jeff
Lead Field Engineer, MSCNS
|
|
|
Visit Atcom to get started with your new business VoIP phone system ASAP
Turn up is quick, painless, and can often be done same day.
Let us show you how to do VoIP right, resulting in crystal clear call quality and easy-to-use features that make everyone happy!
Proudly serving Canada from coast to coast.
|
|
|
|
Joined: Jan 2013
Posts: 519 Likes: 1
Member
|
|
Member
Joined: Jan 2013
Posts: 519 Likes: 1 |
I'm no good at explaining this type of thing.
Remember an IP address is just one layer of the complete routing information. Another layer is the equipments MAC address.
I guessing the link stays up because of the MAC addresses.
Patrick T. Caezza
Santa Paula, CA 93060
C-7 - Low Voltage System Contractor - Lic# 992448
|
|
|
|
|
Joined: Mar 2005
Posts: 588
Moderator-Mobil Phones, Computers
|
|
Moderator-Mobil Phones, Computers
Joined: Mar 2005
Posts: 588 |
Patrick, MAC address don't come into play at Layer 3. The only way I can think of this happening is if you're using a FQDN for the IPSEC gateway. In this case the firewall is doing exactly what its supposed to. If you don't have it set to clean up active tunnels when the peer gateway address changes then you would have a tunnel that is up but doesn't work such as in your case.
|
|
|
|
|
Joined: Nov 2009
Posts: 237
Member
|
|
OP
Member
Joined: Nov 2009
Posts: 237 |
Everything was setup with IPs. We've since replaced the dynamic addresses with a dynamic DNS service using the dynamic service's FQDN to hopefully prevent this issue in the future.
The odd thing is that the most trivial of things, an echo request, worked over the tunnel to the inside interface of the remote firewall so communication was happening, it just never gotten any further.
Jeff
Lead Field Engineer, MSCNS
|
|
|
|
Forums84
Topics94,296
Posts638,852
Members49,769
| |
Most Online5,661
May 23rd, 2018
|
|
|
1 members (Toner),
190
guests, and
265
robots. |
|
Key:
Admin,
Global Mod,
Mod
|
|
|
|
