Thursday, January 13, 2011

SonicWall Firmware Alert!

We use a SonicWall NSA E-Series appliance as our primary firewall. Due to some issues with the E-Series and our SonicPoint N radios we had to upgrade to an out-of-band firmware in order to resolve some problems with our radios dropping their connections to the clients. The firmware we were running was 5.6.1.1-11o.

We didn’t have any problems with this firmware until this past Sunday when we attempted to upgrade our DNS servers to Windows Server 2008 R2. After 5 days of working on this we narrowed our problem down to our SonicWall. It took this long because the bug in the firmware was not only causing the firewall to drop the larger DNS packets of Server 2008 R2 (EDNS and non EDNS) but also causing the appliance to fail to log that it was dropping said packets. Many articles we found online said the problem could be with the firewall and the larger UDP packets but the logging issues made confirming this with our firewall difficult. In addition our dig tests showed we were EDNS compatible as the tests were passing but not the actual DNS lookups.

SonicWall admitted it was there problem but was unable to provide a reason or answer as to why the firmware or what in the firmware was creating this problem. As such, if you are running 5.6.1.1-11o contact support to upgrade to 5.6.1.8-20o. Once we upgraded our problem instantly went away.

If you are in this predicament I hope this post and the other ones about this issue can save you at least 5 days of effort.  The other info is here.