unhandled internal packet - but should be using the BOVPN

stuart_seedstuart_seed
in Firebox - VPN Branch Office

Hi All,
We have 2 sites connected using one tunnel 10.4.0.0/16 to 10.0.0.0/16 bi-directional - all servers are at 10.0.0.0 site and users at 10.4.0.0 site use RDS to access servers across the BOVPN no problem.
However we have spreadsheets that have a direct link to a SQL server that works from other sites (not listed) but not from the 10.4.0.0 site. We get the message on the firewall of the unhandled internal packet-00 for ms-sql-m/udp to the server 10.0.x.x
I would assume that any traffic from 10.4.x.x should use the BOVPN to contact anything with a 10.0.x.x address - I have no other routes set-up for internal traffic and the policies on other sites look identical to the one that is failing so not sure why this is not using the BOVPN - any clues much appreciated.
Stuart

Comments

  • Bruce_BriggsBruce_Briggs

    unhandled internal packet means that the firewall is not expecting the source IP addr to be on the firewall interface from which it came.

    Care to post a sample full log message?

  • stuart_seedstuart_seed

    Hi Bruce
    Please see attached screenshot of the system logs
    Stuart

  • Bruce_BriggsBruce_Briggs

    Sorry - my explanation was for spoofed source, not unhandled...

    unhandled indicates that there is not a policy allowing the packet.
    Do you have a policy allowing UDP port 1434 ?

  • stuart_seedstuart_seed

    Hi Bruce, no we don't have a policy for that as I would expect the traffic would use the BOVPN any<>any policy? This works from our other offices without a policy specific to this port.

  • Bruce_BriggsBruce_Briggs
    edited January 31

    Note that the dest interface is Firebox.
    Is 10.0.5.1 assigned to a firewall interface as a primary or secondary IP addr ?

    Your ARP table should show if that is the case.
    . Web UI -> System Status -> ARP
    . FSM -> Status Report -> ARP section

  • james.carsonjames.carson Moderator, WatchGuard Representative

    10.0.5.1 is the Firebox's address, not the BOVPN. You can see the firebox denoting that in the logs when it notes
    "Trusted Firebox."

    The firebox won't know what to do with SQL traffic -- try sending it to a different host on that network.

    -James Carson
    WatchGuard Customer Support

  • stuart_seedstuart_seed

    10.0.5.1 is a server on the 10.0.0.0 network, it isn't the firewall/firebox
    I don't see any entry for 10.0.5.1 on the ARP table at the 10.4.0.0 site
    I can access Remote Desktop Servers on the 10.0 network from the 10.4 network via the BOVPN.
    Thanks for your help so far.

  • Bruce_BriggsBruce_Briggs

    Time for a support case to get help from a WG rep in understanding and resolving this.
    You can do this via the Support Center link above.

Sign In to comment.