Firewall management not working over VPN, packet capture shows a Packet Dropped - Policy Drop

Description

In deployments spread across multiple sites, VPNs are created for the secure transfer of traffic from one site to another. In some cases, Firewall Admins might have to log in to remote side firewalls and SonicWall allows us an option to do that as long as the remote side firewall has HTTPS management enabled on VPN.

For detailed instructions on Firewall management over VPN please refer to the following KB: Remotely manage the SonicWall through a vpn tunnel

When the HTTPS option is enabled on a VPN, the firewall creates an Access Rule from VPN to LAN with service HTTPS management and sets the action as Allow. 

Example:


Image


In some cases, the Firewall drops this management traffic as Packet Dropped - Policy Drop. Firewall Admins will be able to verify it if they capture the traffic flow using the Packet Monitor feature of the Firewall.

Example: In the below screenshot it can be noticed that the traffic from the VPN for Port 443 TCP is being Dropped as Packet Dropped - Policy Drop.


Image

Cause

The reason for this issue is that the Access Rule created for management is not getting triggered.  This can be verified from the statistics on the Access Rule. The statistics on the Access Rule will show a "0" under all sections


Image

Resolution

  •  On the Access Rule, Click Configure.
  • A Checkbox labeled as Enable Management can be seen at the bottom of the Popup screen.
  • This option will be Set to a Checked/ Enabled state or Unchecked/disabled state. This behavior is firmware-specific. Try toggling the state of this checkbox (If it is "Checked/Enabled", try "Unchecking/Disabling" and Vice-Versa)  and see if the issue is fixed.
    Image

  • If the issue is still not fixed, please reach out to Technical Support for further troubleshooting. 
    There are two ways to contact technical support:

    1. Online: Visit mysonicwall.com. Once logged in select Resources & Support | Support | Create Case

    2. By phone: please use our toll-free number at 1-888-793-2830. Please have your SonicWall serial number available to create a new support case.

    If you do not have a mysonicwall.com account create one for free!

Related Articles

  • SonicWall UTM throws an error : " Invalid Authentication " Error: SN and EPAID Do Not Match
    Read More
  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More

Categories

Firewalls
NSa Series
Firewall Management
Firewalls
NSsp Series
Firewall Management
Firewalls
SonicWall NSA Series
Firewall Management UI
Firewalls
SonicWall SuperMassive 9000 Series
Firewall Management UI
Firewalls
TZ Series
Firewall Management UI
not finding your answers?
Ask the Community
was this article helpful?
YesNo