This might be for any Network engineers....Please help!

[Muzzman1]

HI guys. I have Model S & Model X in the garage since new. 2015 & 2016. I've never had any issues getting map updates to either car until recently.
Both cars are attached via Wifi through our Ruckus R610. To confirm signal is not an issue I installed a 2nd AP (apple airport extreme) in the garage, that made no difference.
Both cars are able to do App commands with no delay. (honk horn etc). I recently upgraded the MS to MCU 2 and it gets about 180Mbps.
My network is sitting behind a Sonicwall TZ600. I created a "security bypass group" on the sonicwall that includes the MAC addresses for both cars so any sort of IPS, Content, spyware etc filtering is excluded on the cars.
I also have a pi-hole on the network doing DNS, but in the case of the cars, I added their mac's to the sonicwall DHCP server and assigned static IP's & google DNS to the cars.
Just to be super sure, I whitelisted tesla.*

When I do a packet monitor on the sonicwall, all traffic going to/from the cars IP's is being forwarded.

If I hook the cars up to my mobile hotspot, they actually download the updates, but this is not a solution.

Any advice or tips would be greatly appreciated!!

 

[Murph85]

The best way to solve this problem would be to get a packet capture of the network generated over the mobile hotspot and compare, this way you are not just trying everything in the blind. I thought that teslas did all their updates over a vpn connection and you wouldn't see 443 and 80 traffic, but I have not looked at the traffic so seeing a successful update might show you what you are missing with your normal network connection.

I would do the security bypass stuff on IP address and not Mac address, you said they should have static ips and if you have multiple access points/ routers the Mac addresses might not be visible to whatever is filtering since Mac addresses are only visible within the broadcast domain of the switch.

All else fails you could open everything up and get a pcap of the car's network traffic (some routers support the iptables -tee command and you could send all the traffic to a desktop running Wireshark. If you could see the traffic over port 80, it might have errors or repeated requests in there that will get you the next 'clue.'

Hope that's helpful!

 

[Muzzman1]

The best way to solve this problem would be to get a packet capture of the network generated over the mobile hotspot and compare, this way you are not just trying everything in the blind. I thought that teslas did all their updates over a vpn connection and you wouldn't see 443 and 80 traffic, but I have not looked at the traffic so seeing a successful update might show you what you are missing with your normal network connection.

I would do the security bypass stuff on IP address and not Mac address, you said they should have static ips and if you have multiple access points/ routers the Mac addresses might not be visible to whatever is filtering since Mac addresses are only visible within the broadcast domain of the switch.

All else fails you could open everything up and get a pcap of the car's network traffic (some routers support the iptables -tee command and you could send all the traffic to a desktop running Wireshark. If you could see the traffic over port 80, it might have errors or repeated requests in there that will get you the next 'clue.'

Hope that's helpful!

Thanks, I've added the IP's to the "Security bypass" group I created along with the MAC's. I also did capture the dropped packets, I have the files, but I have to clue how to read them in wireshark. That's above my paygrade.
I've sent them to sonicwall to see what they say.

 

[beatle]

My guess is some setting in the security policy that is more global and not actually excluded by your whitelist.

Try turning off your PiHole to really make sure it's not a DNS problem, even though you said they are configured to use Google's DNS.

 

[jmaddr]

Put the airport outside your sonic wall and let it get dhcp/dns from your ISP router. It’s similar to your hotspot test but tests your ISP.

 

[Muzzman1]

My guess is some setting in the security policy that is more global and not actually excluded by your whitelist.

Try turning off your PiHole to really make sure it's not a DNS problem, even though you said they are configured to use Google's DNS.

Yes, I can see the DNS requests coming from the car on the sonicwall, they are getting dns outside of the PiHole.

Put the airport outside your sonic wall and let it get dhcp/dns from your ISP router. It’s similar to your hotspot test but tests your ISP.

I thought to do that, but there's really no way (that I know of) outside of setting up a VLAN, since I only have one WAN IP. VLAN is a no go as I do not have any smart switches, plus the Airport does not support VLANS.

At this point I think some traffic is getting to the cars for the Map update, as I see some progress, albeit REALLY slow. I suspect that whitelisting the IP rather than the MAC might have made a difference, but the sonicwall is still dropping a crap ton of packets from the cars. I have yet to get response from sonicwall why that is.
Thanks for your input guys!

 

[Muzzman1]

Just an update here, SonicWall got back to me. They are certain that the sonicwall is allowing all traffic. They did indicate to me though, that the only packets sent out by the car during a few packet captures are all reset packets. Nothing else.
Has anyone else done a packet capture recently? What are your results. My Model S is 192.168.0.6

Here's a screenshot

 

[KArnold]

Is your AP/SonicWall firmware/drivers relatively current? Just had a similar problem on a different platform made bandwidth drop to very low speeds but only when connected to a VPN. Even happened to split tunnel traffic that wasn't using the VPN in my case but you didn't mention that.

Latest drivers fixed my issue but otherwise difficult to debug. I hate "slow" issues - so many variables.

Did you "follow conversation" in Wireshark? Chronologically something happened before the reset packets.

 

[Muzzman1]

Yes, all my firmware etc is all up to date.
Regarding the convo, I think I did, but Im not an expert.
I will send over my capture. Thanks!

 

[rdrcrmatt]

It's likely you haven't bypassed the UTM properly. While you might have created an allow all rule, it could still be getting squashed by zone based UTM features, filtering, IDS/IPS, AV, GeoIP (which often get miscategorized) etc.

I really dislike the SonicWalls I have to support due to their disorganized implementation of UTM features.

Basic stuff.
Does your car have a DHCP reservation?
Is that reserved IP in an ACL (in LAN to WAN) that is allow all to any out, and is above all other rules that could match? Remember ACLs are applied in first match process. No further rule evaluation happens after a match.
Are you seeing traffic counters increment on the ACL entry you think is handling the traffic?
Set your ENTIRE network to allow all out to any, disable the PiHole and just use regular DNS direct. Does it work?

 

[Muzzman1]

Thanks @rdrcrmatt I reserved the cars IP's and added the IP's to the security bypass group rather than the MAC's and since then both cars took an update without issue.
I guess I will have to wait and see next time a map updates comes in, cause it seems the map update is the one that would not come down to my wife's MX.

 

[eclypse]

sorry to bump a necro post, but do you still have those pcaps? I'm trying to collect a few Tesla PCAP files, other than the one off my own MYP. Not using this for anything weird or nefarious or even for really analyzing it.. just thought it'd be neat to have to show in a dashboard I use for demos at work. I'll bet anything theres nothing that makes it look like anything more than a linux client, but still, if you have them, I'd appreciate them!

 

[Muzzman1]

sorry to bump a necro post, but do you still have those pcaps? I'm trying to collect a few Tesla PCAP files, other than the one off my own MYP. Not using this for anything weird or nefarious or even for really analyzing it.. just thought it'd be neat to have to show in a dashboard I use for demos at work. I'll bet anything theres nothing that makes it look like anything more than a linux client, but still, if you have them, I'd appreciate them!

Sorry, long gone.