One of my colleagues reported the other day that the login session on one of her most used website kept getting timed out. After being told and tried all updates on IE, one of their support guy mentioned if we have changed anything in our network, which reminded me there might be some settings in our recently installed firewall that might be causing this issue constantly.
I recently installed a new SonciWall TZ 170 firewall to replace our two IPCop boxes. One of the main reason why I picked up this appliance is its WAN Failover and Load Balance feature which is not oftenly you can find in this range product, and yes, we have two Internet Access line serving in our office. There are four modes of Failover and Load Balance in this product, which are:
- Basic Active/Passive Failover;
- Per Connection Round-Robin;
- Spill-over-Based;
- Percentage-Based
I picked last one as the method we use for this feature and the setting I mentioned above that might be causing this issue is the option under this method, called “Use Source and Destination IP Binding”, which is turned off by default in the first time when you set it up.
About Source and Destination IP Address Binding
When you establish a connection with a WAN, you can create multiple interfaces, dividing up the task load over these interfaces. There are both Primary and Secondary WAN interfaces. This task distribution model maintains high performance, ensuring that one interface does not become an impasse to the point where it blocks traffic from passing. This process is WAN Load Balancing.
While WAN Load Balancing addresses performance challenges, it can create other problems, including losing track of sessions. Session confusion can occur because some applications fail to adequately track multiple user sessions load-balanced on multiple interfaces. These applications treat incoming packets as originating from different users because they use IP addresses to differentiate user sessions instead of application-layer user identification tags.
To ensure that you have proper connectivity in all applications, SonicWALL provides a feature called Source and Destination IP Addresses Binding, a solution that maintains a consistent mapping of traffic flows with a single outbound WAN interface.
Here we go, that's it. That's the main reason why the session keeps getting timed out because the accessing could be through different lines during the session and in most cases you will be kicked out if the website you try to access is highly secured. Once I turned it back on, the problem then was gone completely. So keep in mind that ensure to have this option ticked when you set up the Failover & Load Balance feature on your firewall.