Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cannot connect to SQL running on a VPN Client, watchguard 1250e and Watchguard VPN CLient

Posted on 2009-04-03
13
869 Views
Last Modified: 2013-11-16
We have a client VPN server that simply runs Win XP pro, all updates.  On this server is a master SQL DB that our program accesses.  The program is installed on 15 to 20 computers in this customers office.  The reason we have a VPN client installed on this server is because we use SQL replication to update that DB with ours.  This all works fine, and the VPN seems to work perfectly.  The problem is when we turn on the VPN the customer's computer can no longer access the SQL DB on our Server.  Shut it off and everything works fine, but we lose our connection for replication.  I have verified the packets are simply being ignored when the VPN is turned on.  Packets leave the customers workstations and never get a reply.  On the server there is no incoming packets from that workstation.  I used WireShark to watch the packet traffic.  UDP Port 1434 is open on the server with and without the VPN being on.  I have been on the phone with Watcguard to their engineers and so far no-one has come up with a solution.  

Help?!
0
Comment
Question by:Codeonesysadmin
  • 8
  • 5
13 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24065993
I think there is a zero route tunnel (0.0.0.0/0) [configured with option "Force all traffic through tunnel"] and not split tunneling implemented as a result the machine loses all local network connectivity.

Can you elaborate on the type of VPN configured (IPSec/PPTP).

Please provide details.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24068366
This is the first thing everyone suggests.  we do not force all traffic through tunnel.  IPSEC is the configuration we are trying to use.  there is no 0.0.0.0/24 in the routes.  Good first guess.
0
 

Author Comment

by:Codeonesysadmin
ID: 24068378
Also let me add that the server and workstation can still browse each other, shares and all.  We Remote desktop to each just fine with and without the VPN being turned on.  So far it seems only SQL Server is effected on port 1434.
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 32

Expert Comment

by:dpk_wal
ID: 24072040
Just to clarify as I understand:
WG X1250e is acting as VPN server [lets call it network A]; MUVPN client is installed on XP Pro machine which is hosting DB server [lets call it network B].
Before MUVPN is turned on, on network B other machines can access the DB server on XP machine, after VPN is enabled then the local machines on network B cannot access DB on XP machine.
At the same time with VPN enabled, can other machines on network B RDP to XP machine, or ping it or send any traffic.
Also, from network A after VPN is established, you can access XP machines from all the machines. Can ping/RDP or sync DB.

If such is the case, can you check the routing table before and after VPN establishment; do you see any changes in routing table, use command: route print [from command prompt].
Also, what is the IP subnet on network A and network B.

Please provide details.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24079265
Your understanding is correct, to clarify point sin question.  When VPN is enabled (Turned on and connected) Computers in Network B can access the DB server by means of pings, Remote desktop, browsing network neighborhood etc.  From Network A, when VPN is enabled we can ping, remote desktop, and browse the server.  Subnet A is 192.168.207.0  Subnet B is on the 192.0.0.0.  I've attached a Screen shot of the route prints.  The first or top run of the route print is with VPN On the bottom half is without the VPN connection.
0
 

Author Comment

by:Codeonesysadmin
ID: 24079275
Screen shot, sorry it didn't attach to previous comment
Route-Prints.bmp
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24084284
Everything looks good; so when VPN is connected only DB does not work; can you run sniffer (like wireshark) and sniff for packets on the XP machine for DB port/protocol from one specific client with VPN connected and not connected.
This would give a clear picture as to the difference between the two cases.

I was earlier thinking this of as routing problem; but now it looks more of application/system issue.

Please mask two octets of all public IP address and MAC addresses, if you post anything on this thread.

Please check and update.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24086880
I've sniffed for packets on the DB server, the odd thing is nothing ever shows up when the VPN is on.  I have specified, IP, Ports, and protocols, and nothing ever appears to come through as expected.  By this I mean specifically from the workstation trying to access SQL.  Ports 1434 (UDP), 1028 (TCP), and 135(TCP) are usually used when a SQL call is made. Other traffic is clearly visible.  Turn off the VPN and these ports come alive and SQL works fine.  It's seems the traffic is being ignored, or being thrown into the tunnel with no place to go?  I've run the WireShark on both the virtual adapter and the hardware adapter and still never see the traffic.  I did get an update from Watchguard that they are handing the case off to NCP-Client for a possible Bug Fix.  They will need to replicate the issue.  I have replicated it twice now with different remote servers.
0
 

Author Comment

by:Codeonesysadmin
ID: 24086931
As I have been under extreme pressure to get a resolve to this issue, I tried a SSL VPN to this box.  Everything works perfectly all around.  The problem is now we will have to upgrade our Firebox to get more SSL Licenses unless I can figure out the IPSEC Mobile VPN problems.  an odd FYI to this story.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24087406
One last thing, can you check the IP address at which the XP machine listens for request before and after VPN connection; netstat -na; netstat -a; netstat -nb [from command prompt]
If the IP address at which the server listens changes, then this might explain as to why the packet is not seen by sniffer.

I am running out of ideas as to the root cause of problem! :(

Need not send the output; please update on the result.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24089857
Ports that disappear from No VPN to VPN being turned on are:

1807, 1824  sqlserv.exe
1810 TCP
4102 netbios-ssn
1825 TCP emap

I believe sql server and sql browser service broadcast their existence on port 1824.  This allows you to browse to the SQL database rather than have to know the connection string.  Our program is configured to know the connection string.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24090323
In this case I am clueless as what the issue is; sorry I was not of much help.
0
 

Author Comment

by:Codeonesysadmin
ID: 24090563
Thanks for the effort.  Seems we are stuck and Watchguard is stuck as well.  We are probably going to use the SSL VPN until a bug fix is released.  Thanks again for the help!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Impove long SQL Stored Procedure Performance 14 78
Move SQL 2005 Express to Server 2012R2 19 142
Grid querry results 41 80
Sql query 107 73
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
I've encountered valid database schemas that do not have a primary key.  For example, I use LogParser from Microsoft to push IIS logs into a SQL database table for processing and analysis.  However, occasionally due to user error or a scheduled task…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question