?
Solved

Sonicwall VPN not giving DHCP address

Posted on 2009-02-24
15
Medium Priority
?
974 Views
Last Modified: 2012-05-06
We have a new Sonicwall firewall/router TZ180 that is working for Internet/email etc, but when we try to set up the VPN it connects, but will not give the outside machine a DHCP IP, it shows in the log that it connected but the address always stays at 0.0.0.0.  We have tried this on multiple outside machines and have the client setup correctly.  The in house DHCP server address is entered in the VPN settings in the sonicwall.  Any suggestions?  We tried several things on the phone with sonicwall support already and we checked and the modem that connects the network to the outside world has nothing blocked or turned off on it that should effect this.
thanks,
0
Comment
Question by:IndyNCC
  • 7
  • 6
  • 2
15 Comments
 
LVL 3

Expert Comment

by:LawIS
ID: 23725218
I personally have encountered this problem repeatedly with my tz180, and the only (semi)effective workaround I have found was to disable split-tunneling.  With split tunneling enabled, and with no other settings changes, I only get 0.0.0.0 or 169.xxx.xxx.xxx ip addresses.  Disabling split tunneling gets the connection working.  If you find some other way around this, please let me know.
0
 

Author Comment

by:IndyNCC
ID: 23725536
Where is that setting found and does turning it off effect anything else on the network or the firewall that would need to be changed?
thanks.
0
 
LVL 3

Expert Comment

by:LawIS
ID: 23726287
Sorry, I forgot that it doesn't specifically define this as "split tunneling" within the SonicWALL configuration, and it may not even be true split tunneling but that's how i've come to think of it...

Within the configuration for the Group VPN, under the "Client Settings" button, look for the "Client Connections" section.  Under this section, select Allow Traffic To: This Gateway Only.  Also, make sure that "Set Default         Route as this Gateway" is NOT selected.  This should only allow traffic to this gateway and disable any other traffic, which to my understanding is the same as disabling split tunneling.

If this works for you, you might want to try selecting "Set Default         Route as this Gateway", as it may allow traffic outside of your gateway while the VPN is enabled.  Hopefully this works as well for you as it did for me, and perhaps better as I never got any traffic besides local to work.  Cheers.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 17

Expert Comment

by:ccomley
ID: 23732014
In the VPN config you have a page where you tell the Sonicwall where to obtain the IP address it hands out to the GVPN clients when they log in. It can refer to the Sonicwall's own DHCP service (but that  has to be configured and running if this option is to work) or it can be the Ip address of your main nework DHCP server. If you use a DHCP server OTHER than the one in the Sonicwall then that's the obvious chioce, but you must set it up on the DHCP over VPN config page.

0
 
LVL 3

Expert Comment

by:LawIS
ID: 23732337
Yeah, that was my first thought, but Indy states in the question that "The in house DHCP server address is entered in the VPN settings in the sonicwall."
0
 
LVL 17

Expert Comment

by:ccomley
ID: 23733313
Does the sonicwall log show anything at that point in the tunnel setup? Or does the DHCP server log?
0
 

Author Comment

by:IndyNCC
ID: 23733552
The split tunneling idea did not work, it still connects from outside but does not ever obatin an IP address.  The DHCP page has it set to obtain a DHCP address from the internal DHCP server and the internal IP of that server is entered in the box.  The LAN gateway address under another tab (I'm not looking at it right now) is all 0.0.0.0 but when Sonicwall support dialed in to look at it the other day they did not change that or say anything about it.  The logs show the outside machine connecting and even show the outside machines name, but the IP is always 0.0.0.0  for any of them and we have tried multiple outside machines with the client configured.  Any help would be appreciated.
0
 
LVL 3

Expert Comment

by:LawIS
ID: 23733799
I would definitely put in the address of the LAN gateway, perhaps the SonnicWALL tech overlooked that?  I'm out of other ideas for the moment, but if I think of anything else you'll be the first to know.
0
 

Author Comment

by:IndyNCC
ID: 23733840
Is that the same as the default gateway on the internal network?
0
 
LVL 3

Expert Comment

by:LawIS
ID: 23733877
Yes, whenever the SonicWALL device specifies LAN, it always means it's local (internal) network.
0
 

Author Comment

by:IndyNCC
ID: 23733966
When I type that in a message pops up saying that the default lan gateway is specified but the connection is not set as the default route for clients this will prevent clients from connecting on the wan port....set default route as this gatteway on client page"  I am not onsite right now so I don't want to change anything that might effect their connectivity.  The set default route as this gateway is not checked on the client page under the VPN, not sure if that is the problem or not.
0
 
LVL 3

Expert Comment

by:LawIS
ID: 23734612
Yes, that is the only way I was able to get it to work.  By leaving "Set default route as this gateway" unchecked once connected your clients will not have access to the WAN, only the LAN.  Whenever I enable that connectivity my clients can no longer receive IPs, so as unfortunate as it is I leave it unchecked.

The result of this is that your VPN clients will not have internet access when connected to the VPN, only intranet access.  To access internet resources they will need to disconnect from the VPN, which will obviously make them lose their connection to intranet resources.  The way split tunneling is supposed to work the machine running your client will have access to both internet and intranet while the VPN is enabled, but I have never been able to get this to work correctly.  

This will not affect the connectivity to any other zone, such as your LAN, just the VPN connectors.  People on your LAN will not experience any difference in their network connection, so I wouldn't worry too much about making these changes remotely.  I would advise, as a general practice, to make frequent backups of your router's configuration just in case you unintentionally cause some "temporary congifuration damage" :-)
0
 

Accepted Solution

by:
IndyNCC earned 0 total points
ID: 23774232
Well we got it working.  Turns out we had to download the specific Sonicwall VPN client from their website to the workstation that is going to use it, then we had to turn Routing and Remote access on on the DHCP server on the LAN, which was harder than it should have been as every time we turned it on, the server lost connection to the internal network.  We got around that by using a second NIC in that server with a different IP for the routing and pointed the DHCP on the Sonicwall to that address so as not to mess up the rest of the machines on the LAN.  We than called Sonicwall again and they dialed in and ended up turning DHCP on the firewall on, but only for a 3 address range that was outside the DHCP scope as we only have 1 machine needing to get to the VPN.  That seemed to work and the VPN now gives an IP, though only one user can be on it at a time.  Not sure how to distribute the points here, but thanks for all the suggestions and it is up and working.
0
 
LVL 3

Expert Comment

by:LawIS
ID: 23774406
Yes, I also have never got any other VPN solution other than the SonicWALL Global VPN client to work with SonicWALL routers.  As annoying as it is, if it works why mess with it...

Glad you're up and running!
0
 

Author Comment

by:IndyNCC
ID: 23774455
Agree, they did say also though that if we had had more than 4 or 5 users trying to use this, it would not have worked that way and the solution would have been more complicated to set up and get working.  Right now the client only bought 1 VPN license with the firewall so only one user can be connected at a time.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses
Course of the Month16 days, 17 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question