SonicWALL Global VPN Tunnel Dies Despite Status of "Connected"

Posted on 2009-12-22
Medium Priority
Last Modified: 2012-05-08
We're in the process of deploying a new SonicWALL NSA 2400 firewall. The plan right now is to use the globalVPN client to bring several of our remote locations online until such time as we install VPN capable routers at those locations. Several of these locations are using Windows 2000 to run their POS software.

Before I get to what we've tried, here's a problem description:

The globalVPN client connects successfully to the firewall, and shows a status of connected. At this time, the client computer can access network resources on our LAN, can ping hosts, and so on. After a random amount of time the client will lose access to LAN resources, but the connection status in the VPN client will still show as connected. When it loses access in this manner, the client can no longer access intranet sites, ping hosts, and so on.

On occasion this will happen immediately, or it may take some time. Restarting the connection fixes the problem, although it will just drop again at some point.

Now, onto the details of our environment:

The Sonicwall is acting as a DHCP server for the VPN clients. I've tried having it work on a static IP basis as well as a dynamic IP basis. Both types of DHCP handling exhibit the same behavior. Currently, the firewall is back to handing out static IPs (i.e. MAC-based reservations).

We do have another DHCP server on our network, but because of supposed "congestion problems" we were having, Sonicwall suggested that we reserve a block on that server, and have the Sonicwall handle its own clients.

I don't know if the DHCP has anything to do with the problem, but I'm going to continue on this line of thought for a moment because of some items in the log that I'm wondering about.

If you look at the attachment for a Windows 2000 GlobalVPN log, you'll note that the client starts ISAKMP phase 2 negotiation with, although I have no idea why. is a web server that is not running anything like DHCP or security services, so I don't know why the client thinks it needs to go there. Note that the renewal fails. These same type of log entries appear on every Windows 2000 client.

The attachment for the Vista GlobalVPN log shows the same version of the software trying to connect. Note that the address is renewed differently, and that ISAKMP phase 2 negotiation happens on Nowhere in the Sonicwall configuration does there appear to be any setting to note a server or address to do this authentication with; I'm assuming it should be trying to do this authentication with the firewall itself.

The DHCP lease time, btw, is 1440 minutes.

The connection on Vista has, anecdotally, seemed to work better, although I don't have hard data on this at the present time.

We have the same problem at two different sites we've tested so far. The connections are on different ISPs with different routers, so it doesn't appear to be ISP filtering. At one location, one client may lose connectivity while another still has it.
Question by:jakereinig
  • 3
  • 2

Expert Comment

ID: 26131659
Hi, I take it that your remote sites are on different networks, i.e. different subnets, not all on a default for example class C 192.168.0.x?  This would cause problems if your using NAT at head office.  Just a starter.  We've experienced similar problems in the past (no the network numbering but your problem or client drop out).  We found that enabling keep-alives on the sonicwall's GVPN policy worked.  Also the connection timeout may need to be tweaked.

This may not work, but its a start

Author Comment

ID: 26140590
Thank you for the reply. After extensive testing, the problem is almost certainly related to DHCP. When I manually set an IP address in the SonicWALL virtual adapter on the remote clients, the problem goes away. I've looked around for settings related to keep-alives and whatnot, but nothing immediately relevant is standing out to me.
LVL 32

Expert Comment

ID: 26169627
Can you make sure that while running VPN Wizard; you had selected Configure Virtual IP Adapter; if not; please do so and reimport the policy on the cilent and check for results.

Thank you.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 26203095
Hi dpk_wal: we're not importing any policies into the clients. The setting to "use virtual IP adapter" during the wizard setup just seems to create a DHCP range, which we already have.

Additionally, while static IP addressing prevents the connection from dropping once a connection has been established, there's a new problem: frequently, while the connection establishes, from the very beginning we will not have access to any network resources. The previous problem was that we were able to connect and the connection would die; the new problem is that we frequently have a dead connection from the beginning (but once the connection is good it stays good).
LVL 32

Expert Comment

ID: 26208253
Is the IP subnet on network behind sonicwall and of the remote machine same; am not sure on why this is happening.

Can you make sure that on Sonicwall you do not have any conflicting virtual IP address or network address which is causing such a behavior, also, which version of software are you running.

Please update.

Thank you.


Accepted Solution

jakereinig earned 0 total points
ID: 26383295
Hey guys-

Sorry for the slow reply. The IP scheme in the stores is, whereas HQ is on

The SonicWall techs have suggested that it may be due to some as yet unspecified DHCP congestion amongst various DHCP servers. I personally don't think that's the problem, as the Sonicwall shouldn't be forwarding any requests anywhere else.

In any event, I won't be able to do any more testing on this until March unfortunately, so I'm going to close this for now. We're in the middle of a major rollout with other software, so I'll need to put this to bed for the time being. Thanks for the help.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Screencast - Getting to Know the Pipeline
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 20 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question