I had a client who was unable to connect to the Sonicwall VPN via GVC (Global VPN Client).
Packet capture showed initial inbound traffic to the Sonicwall from Client is being dropped.
Logs as below:
50 03/30/2016 14:16:06.912 X4*(i) — VPN.CLIENT.IP.HERE SONICWALL.WAN.IP.HERE IP UDP 500,500 DROPPED 60[60]
51 03/30/2016 14:16:06.912 X4*(i) — VPN.CLIENT.IP.HERE SONICWALL.WAN.IP.HERE IP UDP — CONSUMED 60[60]
52 03/30/2016 14:16:06.912 X4*(i) — VPN.CLIENT.IP.HERE SONICWALL.WAN.IP.HERE IP UDP — CONSUMED 1490[1490]
53 03/30/2016 14:16:06.912 X4*(i) — VPN.CLIENT.IP.HERE SONICWALL.WAN.IP.HERE IP UDP — CONSUMED 1490[1490]
54 03/30/2016 14:16:06.912 X4*(i) — VPN.CLIENT.IP.HERE SONICWALL.WAN.IP.HERE IP UDP — CONSUMED 186[186]
55 03/30/2016 14:16:07.176 X0*(i) —
Drilling down further, on the dropped packet:
Ethernet Header
Ether Type: IP(0x800), Src=[xxx], Dst=[yyy]
IP Packet Header
IP Type: UDP(0x11), Src=[clientIP], Dst=[sonicwallIP]
UDP Packet Header
Src=[500], Dst=[500], Checksum=0x2cc3, Message Length=3112 bytes
Application Header
IKE:
Value:[0]
DROPPED, Drop Code: 60, Module Id: 26, (Ref.Id: _836_uyHtRcemgvKpkv) 1:1)
==
Drop Code 60 on my current firmware correspond to “Packet length mismatch with interface MTU”
On my sonicwall, “Enable Fragmented Packet Handling” is ticked
To fix the issue, I had to enable a setting on the firewall to allow first fragments smaller than 68 bytes. This is enabled through the System Diag settings.
Go tour diag settings, (append diag.html to whatever management address you use to manage your firewall) example: (https://192.168.60.78/diag.html)
Under internal settings , then under Routing and Network Settings, tick “Allow first fragment of size lesser than 68 bytes” to allow it.
Close and exit.
marktugbo.com 