?
Solved

SonicWall Global VPN Client - issues connecting to LAN resources

Posted on 2010-04-01
17
Medium Priority
?
1,558 Views
Last Modified: 2013-11-30
I recent started using a SonicWall NSA2400 and have enabled VPN connecting users with SonicWall’s GVC.  Users are able to successfully create the tunnel and ping address on LAN.  When try to access local resources either mapped or using \\LAN_Resource\sharename users are either prompted for a username and password or LAN Resource is unable to be located.  However, if I attempt to access LAN resource by \\IPADDRESS\sharename resolution works.  Further when attempting to start Outlook user is also prompted for U/N and P/W.  In some cases username and password are denied.  Checking the logs the following errors are present;
Source: LSASRV Category: SPENGO (Negotiator) Event ID: 40961 Description: The Security System could not establish a secured connection with the server cifs/192.168.0.17.  No authentication protocol was available.
Source: LSASRV Category: SPENGO (Negotiator) Event ID: 40960 Description: The Security System detected an attempted downgrade attack for server cifs/192.168.0.17.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".
0
Comment
Question by:mschi6317
  • 9
  • 6
  • 2
17 Comments
 
LVL 5

Expert Comment

by:fbcbloodcenter
ID: 29378988
You could try to enable netbios over the vpn and see if that makes a difference
0
 

Author Comment

by:mschi6317
ID: 29379451
Yes, I already thought of that and it's enabled.
0
 
LVL 5

Expert Comment

by:fbcbloodcenter
ID: 29379816
running latest firmware/vpn client versions?
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 

Author Comment

by:mschi6317
ID: 29383254
Yes in fact I just updated firmware this afternoon.
0
 
LVL 6

Expert Comment

by:Cas Krist
ID: 29437056
Pls try the 'IP Helper' (under Network tab). Enable the IP helper, also enable 'Netbios'.
iphelper.png
0
 

Author Comment

by:mschi6317
ID: 30817278
I have enabled this feature and will begin testing.
0
 

Author Comment

by:mschi6317
ID: 30818181
Caskrist, to the best of your knowledge would it make any difference if I changed the properties of the GVC network adapter?  Image included....


ip-helper.docx
0
 
LVL 6

Expert Comment

by:Cas Krist
ID: 30849731
I have never done such a thing. You can also check the settings of your WAN Group VPN if Netbios is enabled. (I'm not sure if you have checked that yet).
WANVPN.png
0
 

Author Comment

by:mschi6317
ID: 30924244
Yes I already has this setting selected.  So now I have both IP helper and the netbios settings enabled.  My affected user is still experiencing the same issue.
0
 
LVL 6

Expert Comment

by:Cas Krist
ID: 30926639
Is this only occurring with one user, or all the users?
Does the user get his ip address via DHCP, and if so, what is the DHCP server? (server or sonicwall)
When you look at the output of ipconfig /all on the affected PC, are the WINS and DNS servers OK?
0
 
LVL 6

Expert Comment

by:Cas Krist
ID: 30926873
By the way, the SSLVPN function is cool too, especially with the 5.6 firmware. You can use the Netextender to create a GVC-like VPN connection. But that is whole other issue.
0
 

Author Comment

by:mschi6317
ID: 30952182
IP address is issued by DHCP server on Sonic Wall.  Setup a range of addresses outside of my subnet.  The WINS and DNS servers are OK.
0
 
LVL 6

Expert Comment

by:Cas Krist
ID: 30996757
You should be able to use addresses from within your subnet (most of the times I do), see if this helps. I believe NETBIOS cannot be routed, not sure though.
Create a small range (which has been excluded on your server's DHCP services) and apply that one to the Sonicwall DHCP server.
0
 

Author Comment

by:mschi6317
ID: 31220994
I created the VPN address group because IP address that were already in use on my local subnet were being issued to the incoming VPN connections.  Further I'd rather have a separate range for machines connecting from outside the firewall.  I contacted Sonic Wall this afternoon and was able to speak to someone from North America, although still not 100% helpful.  They suggested making changes I mentioned to the the NIC and also configuring LDAP under user settings.  I am going to try this next.
0
 
LVL 6

Expert Comment

by:Cas Krist
ID: 31254416
OK, let us know please.
0
 

Author Comment

by:mschi6317
ID: 31377676
I tried configuring LDAP as per documentation provided by Sonic Wall but I still cannot get sonic wall to communicate with LDAP server.  The LDAP configuration is presenting a whole set of issues which I am trying to address currently.  For instance using lpd.exe I am able to connect on 389 but not on 636 as suggested by sonic wall in the config docs.
0
 

Accepted Solution

by:
mschi6317 earned 0 total points
ID: 31385920
I was able to get this work changing LDAP settings on sonic wall firewall to use port 389 and tun off SSL which isn't the way it will stay but I am able to access MS AD now where as before I was not.  So techincally it is working, but I have a little more to do on my end on the DC to make LDAP more secure and use port 636.  Issue solved.
0

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

593 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question