?
Solved

Cannot connect to SQL running on a VPN Client, watchguard 1250e and Watchguard VPN CLient

Posted on 2009-04-03
13
Medium Priority
?
881 Views
Last Modified: 2013-11-16
We have a client VPN server that simply runs Win XP pro, all updates.  On this server is a master SQL DB that our program accesses.  The program is installed on 15 to 20 computers in this customers office.  The reason we have a VPN client installed on this server is because we use SQL replication to update that DB with ours.  This all works fine, and the VPN seems to work perfectly.  The problem is when we turn on the VPN the customer's computer can no longer access the SQL DB on our Server.  Shut it off and everything works fine, but we lose our connection for replication.  I have verified the packets are simply being ignored when the VPN is turned on.  Packets leave the customers workstations and never get a reply.  On the server there is no incoming packets from that workstation.  I used WireShark to watch the packet traffic.  UDP Port 1434 is open on the server with and without the VPN being on.  I have been on the phone with Watcguard to their engineers and so far no-one has come up with a solution.  

Help?!
0
Comment
Question by:Codeonesysadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
13 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24065993
I think there is a zero route tunnel (0.0.0.0/0) [configured with option "Force all traffic through tunnel"] and not split tunneling implemented as a result the machine loses all local network connectivity.

Can you elaborate on the type of VPN configured (IPSec/PPTP).

Please provide details.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24068366
This is the first thing everyone suggests.  we do not force all traffic through tunnel.  IPSEC is the configuration we are trying to use.  there is no 0.0.0.0/24 in the routes.  Good first guess.
0
 

Author Comment

by:Codeonesysadmin
ID: 24068378
Also let me add that the server and workstation can still browse each other, shares and all.  We Remote desktop to each just fine with and without the VPN being turned on.  So far it seems only SQL Server is effected on port 1434.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 24072040
Just to clarify as I understand:
WG X1250e is acting as VPN server [lets call it network A]; MUVPN client is installed on XP Pro machine which is hosting DB server [lets call it network B].
Before MUVPN is turned on, on network B other machines can access the DB server on XP machine, after VPN is enabled then the local machines on network B cannot access DB on XP machine.
At the same time with VPN enabled, can other machines on network B RDP to XP machine, or ping it or send any traffic.
Also, from network A after VPN is established, you can access XP machines from all the machines. Can ping/RDP or sync DB.

If such is the case, can you check the routing table before and after VPN establishment; do you see any changes in routing table, use command: route print [from command prompt].
Also, what is the IP subnet on network A and network B.

Please provide details.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24079265
Your understanding is correct, to clarify point sin question.  When VPN is enabled (Turned on and connected) Computers in Network B can access the DB server by means of pings, Remote desktop, browsing network neighborhood etc.  From Network A, when VPN is enabled we can ping, remote desktop, and browse the server.  Subnet A is 192.168.207.0  Subnet B is on the 192.0.0.0.  I've attached a Screen shot of the route prints.  The first or top run of the route print is with VPN On the bottom half is without the VPN connection.
0
 

Author Comment

by:Codeonesysadmin
ID: 24079275
Screen shot, sorry it didn't attach to previous comment
Route-Prints.bmp
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24084284
Everything looks good; so when VPN is connected only DB does not work; can you run sniffer (like wireshark) and sniff for packets on the XP machine for DB port/protocol from one specific client with VPN connected and not connected.
This would give a clear picture as to the difference between the two cases.

I was earlier thinking this of as routing problem; but now it looks more of application/system issue.

Please mask two octets of all public IP address and MAC addresses, if you post anything on this thread.

Please check and update.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24086880
I've sniffed for packets on the DB server, the odd thing is nothing ever shows up when the VPN is on.  I have specified, IP, Ports, and protocols, and nothing ever appears to come through as expected.  By this I mean specifically from the workstation trying to access SQL.  Ports 1434 (UDP), 1028 (TCP), and 135(TCP) are usually used when a SQL call is made. Other traffic is clearly visible.  Turn off the VPN and these ports come alive and SQL works fine.  It's seems the traffic is being ignored, or being thrown into the tunnel with no place to go?  I've run the WireShark on both the virtual adapter and the hardware adapter and still never see the traffic.  I did get an update from Watchguard that they are handing the case off to NCP-Client for a possible Bug Fix.  They will need to replicate the issue.  I have replicated it twice now with different remote servers.
0
 

Author Comment

by:Codeonesysadmin
ID: 24086931
As I have been under extreme pressure to get a resolve to this issue, I tried a SSL VPN to this box.  Everything works perfectly all around.  The problem is now we will have to upgrade our Firebox to get more SSL Licenses unless I can figure out the IPSEC Mobile VPN problems.  an odd FYI to this story.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24087406
One last thing, can you check the IP address at which the XP machine listens for request before and after VPN connection; netstat -na; netstat -a; netstat -nb [from command prompt]
If the IP address at which the server listens changes, then this might explain as to why the packet is not seen by sniffer.

I am running out of ideas as to the root cause of problem! :(

Need not send the output; please update on the result.

Thank you.
0
 

Author Comment

by:Codeonesysadmin
ID: 24089857
Ports that disappear from No VPN to VPN being turned on are:

1807, 1824  sqlserv.exe
1810 TCP
4102 netbios-ssn
1825 TCP emap

I believe sql server and sql browser service broadcast their existence on port 1824.  This allows you to browse to the SQL database rather than have to know the connection string.  Our program is configured to know the connection string.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 24090323
In this case I am clueless as what the issue is; sorry I was not of much help.
0
 

Author Comment

by:Codeonesysadmin
ID: 24090563
Thanks for the effort.  Seems we are stuck and Watchguard is stuck as well.  We are probably going to use the SSL VPN until a bug fix is released.  Thanks again for the help!
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Mark Wills Attending one of Rob Farley's seminars the other day, I heard the phrase "The Accidental DBA" and fell in love with it. It got me thinking about the plight of the newcomer to SQL Server...  So if you are the accidental DBA, or, simp…
Use this article to create a batch file to backup a Microsoft SQL Server database to a Windows folder.  The folder can be on the local hard drive or on a network share.  This batch file will query the SQL server to get the current date & time and wi…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question