Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

last client on has VPN ,But no Internet.

I am running a dynamic IP assigned remote office with a VPN connection to the parent office (static lP.)

Everything is in place and has worked for months (years) with the exception of one reoccurring problem (that its solution may cause another problem.)

1st. Every so often a workstation, that has access to the LAN+intranet (via the VPN) and all it's resources cannot access the Internet. Maybe, the following day that machine will access the intranet+internet without a problem, but we will find another system without access to the internet.

2nd. A short term fix is to reboot the box, however occasionally the VPN will not come back up, and we need to reboot the box on the other side. (I don't know if these is related to the original problem, or just making it harder to debug.)

We have functioned for almost a year like this, and it's been a real inconvenience. To me it feels like a licensing issue, except that the VPN is accessible, and the internet is not. We have 50 licenses, and we are approaching that number of clients going through the tunnel. However, I haven't found a way to view all active licenses.

Any help please.
Scott Stimson, www.internationalcsi.com
0
icsi_wiz
Asked:
icsi_wiz
  • 3
  • 2
1 Solution
 
tntmaxCommented:
How often is your does your dynamic IP address change? What devices are you using for the site-to-site tunnel? That would be very helpful :-)
0
 
devangshroffCommented:
need to do split tunneling
0
 
icsi_wizAuthor Commented:
Hi thanks for the reply.
We are using WatchGuard equipment on both sides.
On the remote site (where we experience the problem, Dynamic IP) we are using WatchGuard FireBox Soho 6. At the main site (static IP) we have a WatchGuard x700 model.

The Dynamic IP is actually a 'Sticky IP.' It's assigned Dynamically, but should be the same number everytime, however, do to previous bad experiences with the ISP, and their policies, we have the equipment configured as a Dynamically changing IP....In the event it does change, then our VPN is still up.

Split Tunneling? Really, because all other clients are fine. This isn't every client without access, this is typically the last clients to connect to the LAN.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
tntmaxCommented:
So you have no way to manage the active licenses for the WatchGuard?? Given that it comes in 10, 25, and 50 user packs, there should be some way of knowing how many devices you have licensed, and how many are in use (very simple with Sonicwall, for example). I doubt it's a split tunneling issue. That very much sounds like a licensing issue, as the Sonicwall does the same thing - LAN connection but no Internet. Can you do an inventory of everything that is getting an IP address, and compare that to what the device is reporting? After this, can you do packet filtering to find out if the traffic is leaving the device, or getting dropped at the firewall level? This would be quite helpful for you.
0
 
icsi_wizAuthor Commented:
It's definitively happening at the router/VPN/firewall, but it doesn't make a lot of sense.
I can see this because if I get on a effected PC  I can attempt a tracert to an IP outside of our network, and get Timeouts:
e.g.,
tracert cnn.com

Tracing route to cnn.com [157.166.224.26]
over a maximum of 30 hops:

  1     3 ms     2 ms     1 ms  192.168.1.1
  2     *        *        *     Request timed out.
  3     *

however, a tracert to the otherside of the VPN works:
e.g.,

tracert 10.10.10.20 Trace complete.


I'd buy the licensing issue, however, we have enough licenses (on the otherside we can view the connections through the watchguard, and we are within the limit.)
...plus....Have you ever heard of a VPN licensing scheme that allowed the clients to access the VPN, but not the internet, when the licenses have been exceeded?

In my experience the licenses would shut down the tunnel, or both the tunnel and the internet.

Checked into split tunneling and it's not enabled at all. The way I understand the split-tunneling with watchguard, you're enabling the internet traffic to be routed through the VPN for managing access (i.e., restricting access) to the internet. However, split-tunneling has never been used, and the default should be to route 0.0.0.0 to the internet, with the exception of the ip range of the otherside of the VPN.

HELP!
Thanks,
Scott

 
0
 
icsi_wizAuthor Commented:
Thanks...It was the licensing, took me awhile to verify, but that's it.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now