We're in the process of deploying a new SonicWALL NSA 2400 firewall. The plan right now is to use the globalVPN client to bring several of our remote locations online until such time as we install VPN capable routers at those locations. Several of these locations are using Windows 2000 to run their POS software.
Before I get to what we've tried, here's a problem description:
The globalVPN client connects successfully to the firewall, and shows a status of connected. At this time, the client computer can access network resources on our LAN, can ping hosts, and so on. After a random amount of time the client will lose access to LAN resources, but the connection status in the VPN client will still show as connected. When it loses access in this manner, the client can no longer access intranet sites, ping hosts, and so on.
On occasion this will happen immediately, or it may take some time. Restarting the connection fixes the problem, although it will just drop again at some point.
Now, onto the details of our environment:
The Sonicwall is acting as a DHCP server for the VPN clients. I've tried having it work on a static IP basis as well as a dynamic IP basis. Both types of DHCP handling exhibit the same behavior. Currently, the firewall is back to handing out static IPs (i.e. MAC-based reservations).
We do have another DHCP server on our network, but because of supposed "congestion problems" we were having, Sonicwall suggested that we reserve a block on that server, and have the Sonicwall handle its own clients.
I don't know if the DHCP has anything to do with the problem, but I'm going to continue on this line of thought for a moment because of some items in the log that I'm wondering about.
If you look at the attachment for a Windows 2000 GlobalVPN log, you'll note that the client starts ISAKMP phase 2 negotiation with 10.0.0.5, although I have no idea why. 10.0.0.5 is a web server that is not running anything like DHCP or security services, so I don't know why the client thinks it needs to go there. Note that the renewal fails. These same type of log entries appear on every Windows 2000 client.
The attachment for the Vista GlobalVPN log shows the same version of the software trying to connect. Note that the address is renewed differently, and that ISAKMP phase 2 negotiation happens on 10.0.0.0. Nowhere in the Sonicwall configuration does there appear to be any setting to note a server or address to do this authentication with; I'm assuming it should be trying to do this authentication with the firewall itself.
The DHCP lease time, btw, is 1440 minutes.
The connection on Vista has, anecdotally, seemed to work better, although I don't have hard data on this at the present time.
We have the same problem at two different sites we've tested so far. The connections are on different ISPs with different routers, so it doesn't appear to be ISP filtering. At one location, one client may lose connectivity while another still has it. windows2000-log.jpg windowsVista-log.jpg
”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
-Mike Kapnisakis, Warner Bros
With your subscription - you'll gain access to our exclusive IT community of thousands of IT pros. You'll also be able to connect with highly specified Experts to get personalized solutions to your troubleshooting & research questions. It’s like crowd-sourced consulting.
We can't always guarantee that the perfect solution to your specific problem will be waiting for you. If you ask your own question - our Certified Experts will team up with you to help you get the answers you need.
Our certified Experts are CTOs, CISOs, and Technical Architects who answer questions, write articles, and produce videos on Experts Exchange. 99% of them have full time tech jobs - they volunteer their time to help other people in the technology industry learn and succeed.
We can't guarantee quick solutions - Experts Exchange isn't a help desk. We're a community of IT professionals committed to sharing knowledge. Our experts volunteer their time to help other people in the technology industry learn and succeed.