Solved

Sonicwall SOHO3 VPN Problems

Posted on 2004-03-23
20
48,461 Views
Last Modified: 2013-11-16
Hello,

I've tried posting this once to no avail...here goes again!

I have a SOHO3 with 10 Global VPN licenses; firmware is 6.5.04; using Global VPN Client 2.0.  I need to set up a VPN for remote users to access Intranet, Terminal Services, etc.  Because we are running Windows Server 2003 DHCP services, I would like to have the IP address assigned by the server, not the SonicWall.  Under DHCP over VPN, the SonicWall is set as a Central Gateway and "send DHCP requests to the server listed below" is configured to point at the W2K3 box.  In the VPN settings under client settings, I have selected "Use DHCP to obtain Virtual IP for this Connection."

Here's my problem - I can connect to the  firewall using the VPN client, but I cannot ping any internal addresses.  When I go to the Virtual IP settings, it has not received an IP from the DHCP server, and renewing eventually times out.  The Group VPN connection is reporting that packets have been sent and received, but I cannot (obviously) connect to internal addresses.  When I enable logging, I get the following message: "Failed to renew the IP address for the virtual interface. The semaphore timeout period has expired."

Anyone have any ideas?  This is extremely urgent, so I'm awarding 500 points to the first person to get me an up-and-running VPN!
0
Comment
Question by:saetaes
  • 3
  • 3
  • 2
  • +9
20 Comments
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10669125
Do things work if you use SonicWall to assign DHCP addresses ?
Does the W2K 2003 event viewer show any attempt by the SonicWall to lease addresses ?
0
 

Author Comment

by:saetaes
ID: 10669366
I haven't tried enabling DHCP from the SonicWall since this is a production firewall and we're using W2K3 DHCP services.  Nothing in the Event Viewer reflecting the SonicWall trying to get a lease.  I have also tried manually assigning an IP address and reconfiguring accordingly, and still have not had any luck getting to internal machines.  Do you have anything else I should try?
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10669765
I'm not quite sure what the issue is yet, but you need to get it working using a manual IP address from your machine first.
Also make sure there are routes setup on your network so that your servers can get back to the VPN clients.  
These links should help get you started:

Client setup guide here:

http://www.sonicwall.com/services/pdfs/Global_VPN_Client_21_QSG.pdf

Global VPN setup guide:

http://www.sonicwall.com/services/pdfs/Global_VPN_Client_21_AdminGuide.pdf

Advanced VPN setup guide:

http://www.sonicguard.com/Datasheet/ikeadvanced.pdf
0
 

Expert Comment

by:rodKeller
ID: 10814087
I have been having the exact same problem with a Sonicwall TZ 170. I would be very interested in hearing if you have found a solution as I have tried everything but letting the firewall become the DHCP server.
0
 

Expert Comment

by:rodKeller
ID: 10825280
I have just enabled the DHCP service in the Sonicwall with no joy. The client still does not receive a Virtual IP address. The Sonicwall reports a tunnel is connected but there is no connectivity to any hosts on the LAN.
0
 

Author Comment

by:saetaes
ID: 10829046
Sounds like the exact problem I've had.  It's really a shame that these SonicWalls have this chronic VPN problem, because I will probably never buy another one because of it....
0
 
LVL 1

Expert Comment

by:pancho2004
ID: 10864865
Saetaes, I'm in your exact situation as well.  What's interesting is that some users (less than 5) connect, all others cannot.  There are plenty addersses in the DHCP scope and remote users are not being blocked by personal firewalls (hardware or software).  Licensing is not an issue either.  A call to SonicWALL did not help either. If anyone has a fix, it would be greatly appreciated.
0
 
LVL 1

Accepted Solution

by:
pancho2004 earned 500 total points
ID: 10865123
Well, I think I found a solution: On the client, create your VPN connection.  Double-click to get the properties of the connection.  Click on the Peers tab, highlight your connection and click Edit.  On the NAT Traversal drop-down box, set it to Disabled.  On the Interface drop-down box, set it to whatever type of connection you are using (i.e., LAN).  OK out of all the menu's.  Disable your connections and then enable.  You should get an IP and access to your network....it worked for me.
0
 

Expert Comment

by:rodKeller
ID: 10881173
Thanks panch02004. I got my VPN to work also by setting the NAT traversal to disabled. Why isn't this documented somewhere? I am quite disenchanted with Sonicwall. We bought a TZ 170 with unlimited nodes and the promise of an OS Enhanced upgrade. As soon as I registered the unit it resorted to a 10 node configuration. It took our reseller several days to get them to straighten out the problem and forget the OS upgrade, it isn't worth the battle. It seems that all the firewall appliance manufacturers have the same attitude, soak the customer. Next time I'll use the IPCop firewall.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10883344
All NAT-T does is encapsulate VPN traffic on port 4500 in order for it to traverse NATted firewalls.  For example, if one VPN server is behind a firewall using address translation, then your standard protocol 50 and 51 wll get dropped as firewalls generally only route TCP/UDP.
Knickers get twisted though as it's quite possible for one end to think it's doing NAT-T whereas the other end has already negotiated IKE over port 500.
General rule is make sure both ends are matched up, and protocols you don't want are disabled...
0
 

Expert Comment

by:cshilli
ID: 11096442
the solution suggested - to Disable NAT traversal will not always correct this problem. This option will work if you have a Linksys router with the very latest firmware which can support not only "IPSEC passthrough" but also UPnP. These capabilities allow for the Sonicwall Global VPN client to Automatically apply encapsulation to the NATed packets.
I also had and continue to have problems with IP address timeouts. The problem is not always consistent. Sonicwall just produced new Firmware v2.2 for their firewalls which supposedly addresses this problem. I now find the problem to be even more intermittent.Tonignt i had to reset my router - a SW3060 Pro.After that, I was not able to get IP addresses from my Windows NT server for 4 hours. Until at last in desperation i stopped and restarted the DHCP service on the NT server. Voila - it started to work again.
0
 

Expert Comment

by:wiredmike
ID: 11497526
My issue is the same- however the traversal trick didn't fix it. My user is not sitting behind any hardware firewalls (so no NAT is happening- it has a public IP) and my SonicWall device is also first in line (public IP address). I am looking into other possible issues- but no luck for me. And the Sonicwall is the only device passing out DHCP- its been restarted so its not that. In fact other clients are not having a problem getting DHCP addresses through VPN- it is just one in particular. I have followed everything to the letter, but the SonicWall techs had to escalate my case.

Could it have something to do with the ISP- this is a former ATT cable/now Comcast user in Nantucket (and I'm in Santa Fe trying to troubleshoot- big fun)?
0
 

Expert Comment

by:jasondeno
ID: 12347487
I also have this problem.  I have tried doing the Nat-T thing, but to no avail.  I'm still getting the semaphore timout error and no IP address.  My client (whom I'm trying to set this up for) got the exact same error while she was in a hotel in New York.  Now you'd THINK a hotel would be bright enough to open the correct ports so that clients could VPN back to the office, eh?

I'm going to call my client later and have them do the Nat-T switch and see if it helps them.  But honestly I'm pretty let down so far by this. I get a phase 1 ISAKMP error at home (behind a SOHO3 of my own using a WISP) and this semaphore error at work and at her location in New York.  That's 0 for 3 so far.  However, everytime I call Sonicwall, they buzz right in and get an IP with no trouble.  I'm beginning to think the problem here isn't my network(s), but the requirements of the client VPN system...

I 've used the SOHO3 in several installations and its a rock of a firewall for the price.  Plus I've had NO trouble with box to box VPNs, but this client VPN may be the death of me.
0
 

Expert Comment

by:jasondeno
ID: 12371089
OK, I've had some help and managed to get this problem fixed.  From what I understand, Nat-T is used when you have one or more NAT networks between your client and firewall.  So I Forced ON Nat-T on the client and made a few tweaks to my Soho3.  It now works.  But I also hired a security expert to help me out too.

Here is a good MS article on the Nat-T subject:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043

I have taken the liberty of making screen shots of all of the relevant pages of my Soho3 and my Global Client software.  I have made them into a PDF file and placed it here:
http://www.inventhorizon.com/support/soho3_vpn.pdf

I hope this helps.  The guy who helped me out did note that he didn't feel that the Sonicwal Nat-T solution was a little odd.  Here's what he said:
"I did a packet capture and when the NAT Traversal is enabled the VPN client only uses UDP port 500, which isn’t true to the standard. NAT-T is supposed to use UDP/500 for IKE and UDP/4500 for the data, but this seems to work OK even though it’s proprietary. Remember that whatever network you wind up plugged into, they must allow UDP/500 out or your VPN client won’t work."

If you give in like me and decide you need to PAY for support (the horror), might I recommend Security Volition.  They've helped me out more times than I can count.  Am I incompetent or are they really good?  A little from column A and little from column B on that one...

[company data removed - ee_ai_construct, cs admin]
0
 

Expert Comment

by:piskander
ID: 12412415
It all comes down to two things: DNS and routing. Regarding the vpn giving an IP address to the client, I don't think it does, as I have done an ipconfig /all on my vpn connected system at home and it only shows my normal assigned IP (from my cable router). I had the problem where I couldn't communicate anywhere except the main site and it turned out to be routing. Check your subnets / masks too. I know not too much help, but my 2c worth if it can help at all.
0
 
LVL 1

Expert Comment

by:josteinleira
ID: 13024959
I recently experienced the same problem and solution (thanks pancho2004) when a colleague started to use SonicWALL Global VPN Client from same location as me. Are using Windows XP SP2 behind a D-Link 624+ wifi access point. The SonicWall we are connection to is a TELES3 with DHCP enabled.
0
 

Expert Comment

by:dbett
ID: 13159497
I just used this solution to fix an error in the GroupVPN connection that the log listed as: "Failed to renew IP address for the virtual interface.  The semaphore timeout period has expired."

Not sure about the firmware version on the Sonicwall box at work.  But the problem was directly traceable to recently installing an Airport Extreme Wireless base station at home.  I'm using it with an all Windows set of computers to take advantage of the Airport Express I got for Christmas. :)  

Connecting either wirelessly or wired through the Airport Extreme gave the error.  A direct connection to the cable modem worked.

But now with the configuration change in the GroupVPN client, I can connect fine.
0
 

Expert Comment

by:jledom
ID: 21552084
I  had the same issue.  Went into the SOHO VPN Client settings and told it to assign virtual IP.  Worked like a champ
0
 

Expert Comment

by:drinu78
ID: 24088415
Hi to all,

Had same exact problem. Finally boiled down to the "Apply NAT and firewall rules " setting for the GroupVPN SA, under advanced settings. Turn it off and it might make your day.

0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now