Solved

Cannot connect to SQL running on a VPN Client, watchguard 1250e and Watchguard VPN CLient

Posted on 2009-04-03
13
859 Views
Last Modified: 2013-11-16
We have a client VPN server that simply runs Win XP pro, all updates.  On this server is a master SQL DB that our program accesses.  The program is installed on 15 to 20 computers in this customers office.  The reason we have a VPN client installed on this server is because we use SQL replication to update that DB with ours.  This all works fine, and the VPN seems to work perfectly.  The problem is when we turn on the VPN the customer's computer can no longer access the SQL DB on our Server.  Shut it off and everything works fine, but we lose our connection for replication.  I have verified the packets are simply being ignored when the VPN is turned on.  Packets leave the customers workstations and never get a reply.  On the server there is no incoming packets from that workstation.  I used WireShark to watch the packet traffic.  UDP Port 1434 is open on the server with and without the VPN being on.  I have been on the phone with Watcguard to their engineers and so far no-one has come up with a solution.  

Help?!
0
Comment
Question by:Codeonesysadmin
  • 8
  • 5
13 Comments
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
I think there is a zero route tunnel (0.0.0.0/0) [configured with option "Force all traffic through tunnel"] and not split tunneling implemented as a result the machine loses all local network connectivity.

Can you elaborate on the type of VPN configured (IPSec/PPTP).

Please provide details.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
This is the first thing everyone suggests.  we do not force all traffic through tunnel.  IPSEC is the configuration we are trying to use.  there is no 0.0.0.0/24 in the routes.  Good first guess.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
Also let me add that the server and workstation can still browse each other, shares and all.  We Remote desktop to each just fine with and without the VPN being turned on.  So far it seems only SQL Server is effected on port 1434.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Just to clarify as I understand:
WG X1250e is acting as VPN server [lets call it network A]; MUVPN client is installed on XP Pro machine which is hosting DB server [lets call it network B].
Before MUVPN is turned on, on network B other machines can access the DB server on XP machine, after VPN is enabled then the local machines on network B cannot access DB on XP machine.
At the same time with VPN enabled, can other machines on network B RDP to XP machine, or ping it or send any traffic.
Also, from network A after VPN is established, you can access XP machines from all the machines. Can ping/RDP or sync DB.

If such is the case, can you check the routing table before and after VPN establishment; do you see any changes in routing table, use command: route print [from command prompt].
Also, what is the IP subnet on network A and network B.

Please provide details.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
Your understanding is correct, to clarify point sin question.  When VPN is enabled (Turned on and connected) Computers in Network B can access the DB server by means of pings, Remote desktop, browsing network neighborhood etc.  From Network A, when VPN is enabled we can ping, remote desktop, and browse the server.  Subnet A is 192.168.207.0  Subnet B is on the 192.0.0.0.  I've attached a Screen shot of the route prints.  The first or top run of the route print is with VPN On the bottom half is without the VPN connection.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
Screen shot, sorry it didn't attach to previous comment
Route-Prints.bmp
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Everything looks good; so when VPN is connected only DB does not work; can you run sniffer (like wireshark) and sniff for packets on the XP machine for DB port/protocol from one specific client with VPN connected and not connected.
This would give a clear picture as to the difference between the two cases.

I was earlier thinking this of as routing problem; but now it looks more of application/system issue.

Please mask two octets of all public IP address and MAC addresses, if you post anything on this thread.

Please check and update.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
I've sniffed for packets on the DB server, the odd thing is nothing ever shows up when the VPN is on.  I have specified, IP, Ports, and protocols, and nothing ever appears to come through as expected.  By this I mean specifically from the workstation trying to access SQL.  Ports 1434 (UDP), 1028 (TCP), and 135(TCP) are usually used when a SQL call is made. Other traffic is clearly visible.  Turn off the VPN and these ports come alive and SQL works fine.  It's seems the traffic is being ignored, or being thrown into the tunnel with no place to go?  I've run the WireShark on both the virtual adapter and the hardware adapter and still never see the traffic.  I did get an update from Watchguard that they are handing the case off to NCP-Client for a possible Bug Fix.  They will need to replicate the issue.  I have replicated it twice now with different remote servers.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
As I have been under extreme pressure to get a resolve to this issue, I tried a SSL VPN to this box.  Everything works perfectly all around.  The problem is now we will have to upgrade our Firebox to get more SSL Licenses unless I can figure out the IPSEC Mobile VPN problems.  an odd FYI to this story.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
One last thing, can you check the IP address at which the XP machine listens for request before and after VPN connection; netstat -na; netstat -a; netstat -nb [from command prompt]
If the IP address at which the server listens changes, then this might explain as to why the packet is not seen by sniffer.

I am running out of ideas as to the root cause of problem! :(

Need not send the output; please update on the result.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
Ports that disappear from No VPN to VPN being turned on are:

1807, 1824  sqlserv.exe
1810 TCP
4102 netbios-ssn
1825 TCP emap

I believe sql server and sql browser service broadcast their existence on port 1824.  This allows you to browse to the SQL database rather than have to know the connection string.  Our program is configured to know the connection string.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
Comment Utility
In this case I am clueless as what the issue is; sorry I was not of much help.
0
 

Author Comment

by:Codeonesysadmin
Comment Utility
Thanks for the effort.  Seems we are stuck and Watchguard is stuck as well.  We are probably going to use the SSL VPN until a bug fix is released.  Thanks again for the help!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now