Solved

last client on has VPN ,But no Internet.

Posted on 2008-10-03
6
306 Views
Last Modified: 2010-04-21
I am running a dynamic IP assigned remote office with a VPN connection to the parent office (static lP.)

Everything is in place and has worked for months (years) with the exception of one reoccurring problem (that its solution may cause another problem.)

1st. Every so often a workstation, that has access to the LAN+intranet (via the VPN) and all it's resources cannot access the Internet. Maybe, the following day that machine will access the intranet+internet without a problem, but we will find another system without access to the internet.

2nd. A short term fix is to reboot the box, however occasionally the VPN will not come back up, and we need to reboot the box on the other side. (I don't know if these is related to the original problem, or just making it harder to debug.)

We have functioned for almost a year like this, and it's been a real inconvenience. To me it feels like a licensing issue, except that the VPN is accessible, and the internet is not. We have 50 licenses, and we are approaching that number of clients going through the tunnel. However, I haven't found a way to view all active licenses.

Any help please.
Scott Stimson, www.internationalcsi.com
0
Comment
Question by:icsi_wiz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:tntmax
ID: 22637952
How often is your does your dynamic IP address change? What devices are you using for the site-to-site tunnel? That would be very helpful :-)
0
 
LVL 5

Expert Comment

by:devangshroff
ID: 22639747
need to do split tunneling
0
 
LVL 2

Author Comment

by:icsi_wiz
ID: 22672953
Hi thanks for the reply.
We are using WatchGuard equipment on both sides.
On the remote site (where we experience the problem, Dynamic IP) we are using WatchGuard FireBox Soho 6. At the main site (static IP) we have a WatchGuard x700 model.

The Dynamic IP is actually a 'Sticky IP.' It's assigned Dynamically, but should be the same number everytime, however, do to previous bad experiences with the ISP, and their policies, we have the equipment configured as a Dynamically changing IP....In the event it does change, then our VPN is still up.

Split Tunneling? Really, because all other clients are fine. This isn't every client without access, this is typically the last clients to connect to the LAN.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 15

Accepted Solution

by:
tntmax earned 500 total points
ID: 22674066
So you have no way to manage the active licenses for the WatchGuard?? Given that it comes in 10, 25, and 50 user packs, there should be some way of knowing how many devices you have licensed, and how many are in use (very simple with Sonicwall, for example). I doubt it's a split tunneling issue. That very much sounds like a licensing issue, as the Sonicwall does the same thing - LAN connection but no Internet. Can you do an inventory of everything that is getting an IP address, and compare that to what the device is reporting? After this, can you do packet filtering to find out if the traffic is leaving the device, or getting dropped at the firewall level? This would be quite helpful for you.
0
 
LVL 2

Author Comment

by:icsi_wiz
ID: 22745557
It's definitively happening at the router/VPN/firewall, but it doesn't make a lot of sense.
I can see this because if I get on a effected PC  I can attempt a tracert to an IP outside of our network, and get Timeouts:
e.g.,
tracert cnn.com

Tracing route to cnn.com [157.166.224.26]
over a maximum of 30 hops:

  1     3 ms     2 ms     1 ms  192.168.1.1
  2     *        *        *     Request timed out.
  3     *

however, a tracert to the otherside of the VPN works:
e.g.,

tracert 10.10.10.20 Trace complete.


I'd buy the licensing issue, however, we have enough licenses (on the otherside we can view the connections through the watchguard, and we are within the limit.)
...plus....Have you ever heard of a VPN licensing scheme that allowed the clients to access the VPN, but not the internet, when the licenses have been exceeded?

In my experience the licenses would shut down the tunnel, or both the tunnel and the internet.

Checked into split tunneling and it's not enabled at all. The way I understand the split-tunneling with watchguard, you're enabling the internet traffic to be routed through the VPN for managing access (i.e., restricting access) to the internet. However, split-tunneling has never been used, and the default should be to route 0.0.0.0 to the internet, with the exception of the ip range of the otherside of the VPN.

HELP!
Thanks,
Scott

 
0
 
LVL 2

Author Closing Comment

by:icsi_wiz
ID: 31502861
Thanks...It was the licensing, took me awhile to verify, but that's it.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question