Solved

last client on has VPN ,But no Internet.

Posted on 2008-10-03
6
302 Views
Last Modified: 2010-04-21
I am running a dynamic IP assigned remote office with a VPN connection to the parent office (static lP.)

Everything is in place and has worked for months (years) with the exception of one reoccurring problem (that its solution may cause another problem.)

1st. Every so often a workstation, that has access to the LAN+intranet (via the VPN) and all it's resources cannot access the Internet. Maybe, the following day that machine will access the intranet+internet without a problem, but we will find another system without access to the internet.

2nd. A short term fix is to reboot the box, however occasionally the VPN will not come back up, and we need to reboot the box on the other side. (I don't know if these is related to the original problem, or just making it harder to debug.)

We have functioned for almost a year like this, and it's been a real inconvenience. To me it feels like a licensing issue, except that the VPN is accessible, and the internet is not. We have 50 licenses, and we are approaching that number of clients going through the tunnel. However, I haven't found a way to view all active licenses.

Any help please.
Scott Stimson, www.internationalcsi.com
0
Comment
Question by:icsi_wiz
  • 3
  • 2
6 Comments
 
LVL 15

Expert Comment

by:tntmax
ID: 22637952
How often is your does your dynamic IP address change? What devices are you using for the site-to-site tunnel? That would be very helpful :-)
0
 
LVL 5

Expert Comment

by:devangshroff
ID: 22639747
need to do split tunneling
0
 
LVL 2

Author Comment

by:icsi_wiz
ID: 22672953
Hi thanks for the reply.
We are using WatchGuard equipment on both sides.
On the remote site (where we experience the problem, Dynamic IP) we are using WatchGuard FireBox Soho 6. At the main site (static IP) we have a WatchGuard x700 model.

The Dynamic IP is actually a 'Sticky IP.' It's assigned Dynamically, but should be the same number everytime, however, do to previous bad experiences with the ISP, and their policies, we have the equipment configured as a Dynamically changing IP....In the event it does change, then our VPN is still up.

Split Tunneling? Really, because all other clients are fine. This isn't every client without access, this is typically the last clients to connect to the LAN.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Accepted Solution

by:
tntmax earned 500 total points
ID: 22674066
So you have no way to manage the active licenses for the WatchGuard?? Given that it comes in 10, 25, and 50 user packs, there should be some way of knowing how many devices you have licensed, and how many are in use (very simple with Sonicwall, for example). I doubt it's a split tunneling issue. That very much sounds like a licensing issue, as the Sonicwall does the same thing - LAN connection but no Internet. Can you do an inventory of everything that is getting an IP address, and compare that to what the device is reporting? After this, can you do packet filtering to find out if the traffic is leaving the device, or getting dropped at the firewall level? This would be quite helpful for you.
0
 
LVL 2

Author Comment

by:icsi_wiz
ID: 22745557
It's definitively happening at the router/VPN/firewall, but it doesn't make a lot of sense.
I can see this because if I get on a effected PC  I can attempt a tracert to an IP outside of our network, and get Timeouts:
e.g.,
tracert cnn.com

Tracing route to cnn.com [157.166.224.26]
over a maximum of 30 hops:

  1     3 ms     2 ms     1 ms  192.168.1.1
  2     *        *        *     Request timed out.
  3     *

however, a tracert to the otherside of the VPN works:
e.g.,

tracert 10.10.10.20 Trace complete.


I'd buy the licensing issue, however, we have enough licenses (on the otherside we can view the connections through the watchguard, and we are within the limit.)
...plus....Have you ever heard of a VPN licensing scheme that allowed the clients to access the VPN, but not the internet, when the licenses have been exceeded?

In my experience the licenses would shut down the tunnel, or both the tunnel and the internet.

Checked into split tunneling and it's not enabled at all. The way I understand the split-tunneling with watchguard, you're enabling the internet traffic to be routed through the VPN for managing access (i.e., restricting access) to the internet. However, split-tunneling has never been used, and the default should be to route 0.0.0.0 to the internet, with the exception of the ip range of the otherside of the VPN.

HELP!
Thanks,
Scott

 
0
 
LVL 2

Author Closing Comment

by:icsi_wiz
ID: 31502861
Thanks...It was the licensing, took me awhile to verify, but that's it.
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now