IndyNCC
asked on
Sonicwall VPN not giving DHCP address
We have a new Sonicwall firewall/router TZ180 that is working for Internet/email etc, but when we try to set up the VPN it connects, but will not give the outside machine a DHCP IP, it shows in the log that it connected but the address always stays at 0.0.0.0. We have tried this on multiple outside machines and have the client setup correctly. The in house DHCP server address is entered in the VPN settings in the sonicwall. Any suggestions? We tried several things on the phone with sonicwall support already and we checked and the modem that connects the network to the outside world has nothing blocked or turned off on it that should effect this.
thanks,
thanks,
I personally have encountered this problem repeatedly with my tz180, and the only (semi)effective workaround I have found was to disable split-tunneling. With split tunneling enabled, and with no other settings changes, I only get 0.0.0.0 or 169.xxx.xxx.xxx ip addresses. Disabling split tunneling gets the connection working. If you find some other way around this, please let me know.
ASKER
Where is that setting found and does turning it off effect anything else on the network or the firewall that would need to be changed?
thanks.
thanks.
Sorry, I forgot that it doesn't specifically define this as "split tunneling" within the SonicWALL configuration, and it may not even be true split tunneling but that's how i've come to think of it...
Within the configuration for the Group VPN, under the "Client Settings" button, look for the "Client Connections" section. Under this section, select Allow Traffic To: This Gateway Only. Also, make sure that "Set Default Route as this Gateway" is NOT selected. This should only allow traffic to this gateway and disable any other traffic, which to my understanding is the same as disabling split tunneling.
If this works for you, you might want to try selecting "Set Default Route as this Gateway", as it may allow traffic outside of your gateway while the VPN is enabled. Hopefully this works as well for you as it did for me, and perhaps better as I never got any traffic besides local to work. Cheers.
Within the configuration for the Group VPN, under the "Client Settings" button, look for the "Client Connections" section. Under this section, select Allow Traffic To: This Gateway Only. Also, make sure that "Set Default Route as this Gateway" is NOT selected. This should only allow traffic to this gateway and disable any other traffic, which to my understanding is the same as disabling split tunneling.
If this works for you, you might want to try selecting "Set Default Route as this Gateway", as it may allow traffic outside of your gateway while the VPN is enabled. Hopefully this works as well for you as it did for me, and perhaps better as I never got any traffic besides local to work. Cheers.
In the VPN config you have a page where you tell the Sonicwall where to obtain the IP address it hands out to the GVPN clients when they log in. It can refer to the Sonicwall's own DHCP service (but that has to be configured and running if this option is to work) or it can be the Ip address of your main nework DHCP server. If you use a DHCP server OTHER than the one in the Sonicwall then that's the obvious chioce, but you must set it up on the DHCP over VPN config page.
Yeah, that was my first thought, but Indy states in the question that "The in house DHCP server address is entered in the VPN settings in the sonicwall."
Does the sonicwall log show anything at that point in the tunnel setup? Or does the DHCP server log?
ASKER
The split tunneling idea did not work, it still connects from outside but does not ever obatin an IP address. The DHCP page has it set to obtain a DHCP address from the internal DHCP server and the internal IP of that server is entered in the box. The LAN gateway address under another tab (I'm not looking at it right now) is all 0.0.0.0 but when Sonicwall support dialed in to look at it the other day they did not change that or say anything about it. The logs show the outside machine connecting and even show the outside machines name, but the IP is always 0.0.0.0 for any of them and we have tried multiple outside machines with the client configured. Any help would be appreciated.
I would definitely put in the address of the LAN gateway, perhaps the SonnicWALL tech overlooked that? I'm out of other ideas for the moment, but if I think of anything else you'll be the first to know.
ASKER
Is that the same as the default gateway on the internal network?
Yes, whenever the SonicWALL device specifies LAN, it always means it's local (internal) network.
ASKER
When I type that in a message pops up saying that the default lan gateway is specified but the connection is not set as the default route for clients this will prevent clients from connecting on the wan port....set default route as this gatteway on client page" I am not onsite right now so I don't want to change anything that might effect their connectivity. The set default route as this gateway is not checked on the client page under the VPN, not sure if that is the problem or not.
Yes, that is the only way I was able to get it to work. By leaving "Set default route as this gateway" unchecked once connected your clients will not have access to the WAN, only the LAN. Whenever I enable that connectivity my clients can no longer receive IPs, so as unfortunate as it is I leave it unchecked.
The result of this is that your VPN clients will not have internet access when connected to the VPN, only intranet access. To access internet resources they will need to disconnect from the VPN, which will obviously make them lose their connection to intranet resources. The way split tunneling is supposed to work the machine running your client will have access to both internet and intranet while the VPN is enabled, but I have never been able to get this to work correctly.
This will not affect the connectivity to any other zone, such as your LAN, just the VPN connectors. People on your LAN will not experience any difference in their network connection, so I wouldn't worry too much about making these changes remotely. I would advise, as a general practice, to make frequent backups of your router's configuration just in case you unintentionally cause some "temporary congifuration damage" :-)
The result of this is that your VPN clients will not have internet access when connected to the VPN, only intranet access. To access internet resources they will need to disconnect from the VPN, which will obviously make them lose their connection to intranet resources. The way split tunneling is supposed to work the machine running your client will have access to both internet and intranet while the VPN is enabled, but I have never been able to get this to work correctly.
This will not affect the connectivity to any other zone, such as your LAN, just the VPN connectors. People on your LAN will not experience any difference in their network connection, so I wouldn't worry too much about making these changes remotely. I would advise, as a general practice, to make frequent backups of your router's configuration just in case you unintentionally cause some "temporary congifuration damage" :-)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, I also have never got any other VPN solution other than the SonicWALL Global VPN client to work with SonicWALL routers. As annoying as it is, if it works why mess with it...
Glad you're up and running!
Glad you're up and running!
ASKER
Agree, they did say also though that if we had had more than 4 or 5 users trying to use this, it would not have worked that way and the solution would have been more complicated to set up and get working. Right now the client only bought 1 VPN license with the firewall so only one user can be connected at a time.