Solved

SonicWall VPN Only Connects to Domain Controllers

Posted on 2006-11-03
12
235 Views
Last Modified: 2010-04-12
We have a SonicWall Pro 330.  I had a user say he could not connect to servers and apps via VPN.  I took the laptop home and the only computers it will connect to are our domain controllers (both are also dns servers).  I found the same was true with my home laptop.

We have remote users that use the VPN daily and they have not reported any issues (and I know their connections were working yesterday).

I thought DNS, but all computers internally are working and some remote connections are working.  Does anyone have any ideas?  Here is some more info on our network:

2 - W2k DCs
Various other 2k and 2k3 servers
Sonicwall VPN
Users laptop is XP pro, SP2
My laptop is XP home, SP2

If you need more info, please let me know! TIA!
0
Comment
Question by:SupportECI
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 150 total points
ID: 17872929
Can you ping the systems to which you cannot connect, or connect by IP such as  \\192.168.123.123\ShareName ?
What are you using to create the VPN ? The Sonicwall Global VPN client and the router, Windows client and VPN server, or other?
Are the computers that can connect members of the domain and the ones that cannot, not members ?
Are the subnets different at both sites? they should be ?

Sorry more questions than answers, but perhaps we can narrow it down.
0
 
LVL 8

Assisted Solution

by:nitadmin
nitadmin earned 150 total points
ID: 17873870
Hi SupportECI,

It sounds like you are able to make the VPN connection. But you connect connect to hosts other that the Domain Controllers.

I suggest that you use the internal or private ip addresses of the hosts instead of hosts netbois name.
When you are connecting over a VPN tunnel, your computer ( the remote hosts) will not be able to resolve hosts names to ip addresses. So you should use the ip addresses instead.

Cheers!
NITADMIN
0
 
LVL 8

Accepted Solution

by:
saw830 earned 200 total points
ID: 17878090
Hi,

How does the problem show itself?  Is it an issue with not resolving the server name, or access denied when it connects, or something else?

If it is a name resolution problem, make sure that the DNS settings for the remote PC points to the Internal DNS servers at the office.  Keep in mind that the DNS servers will not be available when the VPN is not connected, so the workstation may have a problem   I believe that if you put one of your internal DNS server address as the first DNS server and a public DNS server address as the second DNS server (all on the remote PC, ya know), the the remote PC will use the internal DNS if it can reach it, and fall back to the second if it can't reach the first.

If it is an access denied message or some other kind of "just can't quite do it" problem, I'd check the Kerberos setttings.  By default, Windows uses UDP/IP for Kerberos traffic, but this doesn't work so well over the internet and VPNs and such.  If this is the problem, an adjustment to the Kerberos settings will fix this.  Here's some doc on this issue:
http://support.microsoft.com/kb/244474

If that fixes it, but it becomes sporadic, have a look at this:
http://support.microsoft.com/kb/320903

If you just want to know more about Kerberos, here's an overview:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Give some error messages or symptoms and it will be easier to work out.

Hope this helps,
Alan
0
 
LVL 1

Author Comment

by:SupportECI
ID: 17881376
Thanks for the responses.

-------------------------
RobWill:

I can ping and connect to the DCs by name or IP.

I cannot ping or connect by name to other computers (also remoted desktop and VNC do not work).

We are using the sonicwall vpn client.

One of the computers, XP pro, is a member of the domain; Mine, XP home, is not.

I will have to verify the subnets are not the same, I know we have had issues with that before.  But the user does not use a router, so he should not be getting a private IP.  I will check on my router.

-------------------------
nitadmin:

see above.

-------------------------
saw830:

When we try to ping it times out.  When trying to connect to shares, it comes back as "the network path was not found"

I will have to check on the dns setup of the laptops and the rest of your suggestions later when I am out of the office.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17881911
Is there any chance a group policy has been changed that enabled the Windows Firewall on all workstations? Where this was working before, it doesn't sound like a configuration issue, and the fact that you cannot ping by IP rules out DNS, as the primary problem.
0
 
LVL 8

Expert Comment

by:nitadmin
ID: 17886490
When you connect to the Sonicwall using the Sonicwall Global VPN client, are you getting an ip address on the virtual connection? Is the ip address in the same subnet as subnet in office LAN. When connecting to the Sonicwall using Global VPN client you should get an ip address from DHCP server running on the Sonicwall device. If you don't get an ip address from Soincwall Device, then you have to configure a static ip address for the virtual connection. Make sure the address is in the same subnet.

Cheers,
NITADMIN
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 1

Author Comment

by:SupportECI
ID: 17900397
Sorry for the delay...

I checked my router and it was set on the same subnet as our internal subnet.  Once I changed this everything worked fine for my computer and the users.  

I am not sure the users issues are fixed yet, however.  The user stated that apps and network shares were not working.  I assumed that he would not have known or thought about trying to connect to our DC's so his issues must have been the same.  Now I am thinking it is a different issue with his connection, but it is obviously not the computer as it worked fine for me.  Also the user said he does not use a router, so since we have the same ISP (sbc yahoo) I am going to try it tonight without the router, just plugged right into the dsl modem.

I will let you know what happens with that.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17902677
>>"The user stated that apps and network shares were not working. "
Can the user connect to the shares by IP  e.g. \\192.168.123.123\ShareName  perhaps they now have a connection, assuming their subnet is different, and it is just a name resolution issue at this point.

>>"I am going to try it tonight without the router, just plugged right into the dsl modem."
Good test. Let us know how it goes.
0
 
LVL 1

Author Comment

by:SupportECI
ID: 17957859
Sorry for the delay.

I plugged the laptop straight into the modem and everything worked fine.

So I could not recreate the problem, as the user does not have a router.  I am now not even sure he could reach the DCs.  I have asked him to try it again and to call me when he trys to connect so that we can get more information.  I will update this when he has a chance to try it again (hopefully in the next few days).
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17961469
By the way, you mentioned SBC earlier. I have read a few articles lately stating the the SBC connection client can interfere with VPN's. These refereed to PPTP VPN's but may apply to your Global VPN IPSec client as well. As a test you might want to try un-installing if present.

Let us know how it goes.
0
 
LVL 1

Author Comment

by:SupportECI
ID: 18167796
Well all I really don't know what came of the this, because the user never could get connected, but we have never been able to go to his house to see if something might be the problem there.  So I will split points and call it good.  Thanks for all of you suggestions.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18167870
Thanks SupportECI. Enjoy the holiday season.
Cheers !
--Rob
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now