Remote users can connect to the sonicwall via the GVPNC 4.086, but when they go to login to remote desktop on their machines at work, it times out. When they try and PING an internal address, it also times out.
This just started happening to everyone about 2 weeks ago. Nothing has changed on the sonicwall. Our support contract was up in February, but i can't imagine that would affect connectivity.
On the sonicwall we are using the default group vpn configuration
GroupVPN ESP 3DES HMAC SHA1 (IKE)
using preshared secret
propsals IKE
dh - group 1
encryption 3des
auth sha1
lifetime 28800
ipsec
protocol ESP
encyption 3DES
Auth sha1
advanced
vpn termination LAN/DMZ
client auth (yes)
client
cache auth (never)
virtual adpater (none)
second gateways (allow connections)
the odd thing is that if a user tries 8 times to connect to the vpn it will finally work (they will be able to login to their machine via remote desktop)
It is really quite frustrating
Can anyone assist?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
When the users log on, you can see their connections on the sonicWall active VPN users section? Using an AD server, or is the SonicWALL the one handing out the VPN IPs?
If they are connecting, and staying connected, but unable to connect to anything in network, and they show on the sonicWALL, it seems like they are getting an odd IP/subnet/dns/etc. Have the users do an ipconfig /all and send to you, and compare the tunneling IPs to what your network looks like.
From there, you can check what your AD servers are leasing out / SonicWALL attempts to lease out, etc.
That means the underlying problem is whatever is handing out IPs to the VPN clients. That's not handing it out correctly.
Is the SonicWALL or something else handing out the (i'm guessing) DCHP IPs?
and yes, ccpjc's answer will fix the problem for only that one instance. But I'm pretty sure you don't want to sit there and reset people's IPs all day/night.
Justicator:
That means the underlying problem is whatever is handing out IPs to the VPN clients. That's not handing it out correctly.
Is the SonicWALL or something else handing out the (i'm guessing) DCHP IPs?
and yes, ccpjc's answer will fix the problem for only that one instance. But I'm pretty sure you don't want to sit there and reset people's IPs all day/night.
-- I already posted my experience with it, about the VPN client assigning IP's to computers with them already on the network, haven't heard anything back yet
another thing is to exclude those that are static assigned on the network from the SonicWall DHCP Server
Make sure that the SBS server isn't fighting the SonicWall for IP handing out rights.
I'm willing to bet that the clients that are logging in through VPN are asking the SBS server for an IP. Then the SBS server goes "I dunno, don't ask me" so the clients are stuck with a 0.0.0.0. Way to do it is have the SonicWall take all requests first. Then in the sonicWALL, there is an option to specific DNS servers -- which you point at your AD server. personally, I'd have the AD server handle everything, to avoid this kind of problem.
I forgot to post:
In advanced for the VPN
Enable NAT Traversal: (yes)
Keep Alive interval: 240
Enable IKE Dead Peer Detection: (yes)
Dead Peer Detection Interval: 60
Failure Trigger Level: 3
VPN Single Armed mode (stand-alone VPN gateway) NO
Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address YES
Preserve IKE Port for Pass Through Connections NO
Send vpn tunnel traps only when tunnel status changes NO
ok i'll re-write this hopefully you can understand
about 2 weeks ago, I had a remote user who would connect via GVPNC and no matter what he did, he was experiencing errors or it just wouldn't connect, the SonicWall DHCP Server was assigning him the ip of 10.3.0.119 which was already statically set on a computer on the network
To resolve this, i just released the Static IP for that computer since it didn't need it and was only for testing purposes, but another option is to set a list of DHCP Server IP's the sonicwall is allowed to hand out
ccpjc:
I was refering to this comment you made below.....
my reply to you comment was essentially the "renew" button was greyed out so I could not "renew" as you indicated
"Expert Comment
Was this comment helpful?
Yes No
ccpjc:
Right click on the Icon in the taskbar beside the clock -> Open SonicWall VPN Client
double click on the current connection, then at the bottom of the status tab you will see 'Renew'"
ok let's try doing this from the start
Delete your VPN settings from the GVPNC
Add a new connection, verify the IP is correct
Make sure you have the correct PreShared key, you can find it in the SonicWall GUI under VPN -> GroupVPN, it will either be called Shared Secret or PreShare Key depending on the version
Double click the vpn connection to start, it should show Connecting, then change to provisioning, then acquiring IP, then finally connected
Once connected, it should pop up a balloon to show you are connected and your VPN IP address
if not then try going back into the Status screen and doing a Renew
Post results
Delete VPN settings check
add new connection to correct ip - check
preshared key known (sonicwall router open presahred key dispalyed
double click on vpn connection
prompted for preshared key -entered
enter username /password box
enter successfully twice
vpn status is "connected"
networking icons in systray appear with the little gold ball moving back and forth...
Below is the connection details from the VPN client log
2009/03/19 09:11:28:852 Information 67.95.*.* Starting ISAKMP phase 1 negotiation.
2009/03/19 09:11:28:898 Information 67.95.*.* Starting aggressive mode phase 1 exchange.
2009/03/19 09:11:28:898 Information 67.95.*.* NAT Detected: Local host is behind a NAT device.
2009/03/19 09:11:28:898 Information 67.95.*.* The SA lifetime for phase 1 is 28800 seconds.
2009/03/19 09:11:28:898 Information 67.95.*.*Phase 1 has completed.
2009/03/19 09:11:28:914 Information 67.95.*.* Received XAuth request.
2009/03/19 09:11:28:914 Information 67.95.*.* Sending XAuth reply.
2009/03/19 09:11:28:914 Information 67.95.*.* Received XAuth status.
2009/03/19 09:11:28:914 Information 67.95.*.* Sending XAuth acknowledgement.
2009/03/19 09:11:28:914 Information 67.95.*.* User authentication has succeeded.
2009/03/19 09:11:28:930 Information 67.95.*.* Received request for policy version.
2009/03/19 09:11:28:930 Information 67.95.*.* Sending policy version reply.
2009/03/19 09:11:28:930 Information 67.95.*.* Received policy change is not required.
2009/03/19 09:11:28:930 Information 67.95.*.* Sending policy acknowledgement.
2009/03/19 09:11:28:930 Information 67.95.*.* The configuration for the connection is up to date.
2009/03/19 09:11:28:992 Information 67.95.*.* Starting ISAKMP phase 2 negotiation with 198.68.70.0/255.255.255.0:
2009/03/19 09:11:28:992 Information 67.95.*.* Starting quick mode phase 2 exchange.
2009/03/19 09:11:29:008 Information 67.95.*.* The SA lifetime for phase 2 is 28800 seconds.
2009/03/19 09:11:29:008 Information 67.95.*.* Phase 2 with 198.68.70.0/255.255.255.0:
2009/03/19 09:11:29:008 Information 67.95.*.* NetWkstaUserGetInfo returned: user: bigmon, logon domain: snoops, logon server: disk
What are your current DCHP settings on the SonicWALL?
Good policy states that you should have a range setup especially for DCHP, but conflict detection should take care of that without a problem.
The problem still is where your users are getting no IP addresses assigned to them, which I still think is it trying to contact the AD server for a DHCP address.
You can go this way (which I prefer):
Set your AD server to hand out DCHP exactly like your sonicWALL is doing, and set up your sonicWALL to point towards your AD server in the DNS pic as below.
Or, make sure your route policy is setup correctly. See pics also.
@ccpj
attempting to login to LAN resources via Remote desktop: "this computer can't connect to the remote computer"
ipconfig /all reveal that the sonicwall is coming up 0.0.0.0
@justicator
The dhcp(which is on sonicwall) is setup from .50 to .254 All workstations on the LAN have manual ip addreses. they start at .100 and goto .175
in SW gui - leased is set
in sw gui DHCP scope is set to .50 to .59 (no static IPs)
attempt VPN connection
username and password - ok
then status stays on "cennecting"
Sonicwall virtual adapter icon appears in task bar (gold ball bounces back and forth)
In the properties of the GVPNC the renew button is no longer greyed out.
Sonicwall hangs on finding IP address, so I click on "renew" button - no effect
Ok it sounds like you are already using aggressive mode on your tunnel correct? On the sonic wall you are sitting at, it has a unique name usually the serial #, and whatever you are connecting to it has a unique name. name the tunnel whatever name of the device is your connecting to. make sure you are in aggressive mode, set the default gateway to 0.0.0.0 set the local IKE as your unique name and the remote IKE to the remote unique name.
Business Accounts
Answer for Membership
by: JusticatorPosted on 2009-03-19 at 09:00:28ID: 23930965
Have the users tried to uninstall/reinstall the client, and the latest version at that?
I had two similar issues recently, but one was due to the client's public IP changing, and one was due to the business'(on the sonicwall's side) public IP changing. Make sure these aren't being the issue either.