mschi6317
asked on
SonicWall Global VPN Client - issues connecting to LAN resources
I recent started using a SonicWall NSA2400 and have enabled VPN connecting users with SonicWall’s GVC. Users are able to successfully create the tunnel and ping address on LAN. When try to access local resources either mapped or using \\LAN_Resource\sharename users are either prompted for a username and password or LAN Resource is unable to be located. However, if I attempt to access LAN resource by \\IPADDRESS\sharename resolution works. Further when attempting to start Outlook user is also prompted for U/N and P/W. In some cases username and password are denied. Checking the logs the following errors are present;
Source: LSASRV Category: SPENGO (Negotiator) Event ID: 40961 Description: The Security System could not establish a secured connection with the server cifs/192.168.0.17. No authentication protocol was available.
Source: LSASRV Category: SPENGO (Negotiator) Event ID: 40960 Description: The Security System detected an attempted downgrade attack for server cifs/192.168.0.17. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
Source: LSASRV Category: SPENGO (Negotiator) Event ID: 40961 Description: The Security System could not establish a secured connection with the server cifs/192.168.0.17. No authentication protocol was available.
Source: LSASRV Category: SPENGO (Negotiator) Event ID: 40960 Description: The Security System detected an attempted downgrade attack for server cifs/192.168.0.17. The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
(0xc000005e)".
You could try to enable netbios over the vpn and see if that makes a difference
ASKER
Yes, I already thought of that and it's enabled.
running latest firmware/vpn client versions?
ASKER
Yes in fact I just updated firmware this afternoon.
Pls try the 'IP Helper' (under Network tab). Enable the IP helper, also enable 'Netbios'.
iphelper.png
iphelper.png
ASKER
I have enabled this feature and will begin testing.
ASKER
Caskrist, to the best of your knowledge would it make any difference if I changed the properties of the GVC network adapter? Image included....
ip-helper.docx
ip-helper.docx
I have never done such a thing. You can also check the settings of your WAN Group VPN if Netbios is enabled. (I'm not sure if you have checked that yet).
WANVPN.png
WANVPN.png
ASKER
Yes I already has this setting selected. So now I have both IP helper and the netbios settings enabled. My affected user is still experiencing the same issue.
Is this only occurring with one user, or all the users?
Does the user get his ip address via DHCP, and if so, what is the DHCP server? (server or sonicwall)
When you look at the output of ipconfig /all on the affected PC, are the WINS and DNS servers OK?
Does the user get his ip address via DHCP, and if so, what is the DHCP server? (server or sonicwall)
When you look at the output of ipconfig /all on the affected PC, are the WINS and DNS servers OK?
By the way, the SSLVPN function is cool too, especially with the 5.6 firmware. You can use the Netextender to create a GVC-like VPN connection. But that is whole other issue.
ASKER
IP address is issued by DHCP server on Sonic Wall. Setup a range of addresses outside of my subnet. The WINS and DNS servers are OK.
You should be able to use addresses from within your subnet (most of the times I do), see if this helps. I believe NETBIOS cannot be routed, not sure though.
Create a small range (which has been excluded on your server's DHCP services) and apply that one to the Sonicwall DHCP server.
Create a small range (which has been excluded on your server's DHCP services) and apply that one to the Sonicwall DHCP server.
ASKER
I created the VPN address group because IP address that were already in use on my local subnet were being issued to the incoming VPN connections. Further I'd rather have a separate range for machines connecting from outside the firewall. I contacted Sonic Wall this afternoon and was able to speak to someone from North America, although still not 100% helpful. They suggested making changes I mentioned to the the NIC and also configuring LDAP under user settings. I am going to try this next.
OK, let us know please.
ASKER
I tried configuring LDAP as per documentation provided by Sonic Wall but I still cannot get sonic wall to communicate with LDAP server. The LDAP configuration is presenting a whole set of issues which I am trying to address currently. For instance using lpd.exe I am able to connect on 389 but not on 636 as suggested by sonic wall in the config docs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.