Solved

Cannot Connect to Exchange via SonicWall Site-to-Site VPN

Posted on 2010-11-16
19
1,272 Views
Last Modified: 2012-06-27
I am setting up a Site-to-Site VPN between two SonicWall appliances and have hit a minor road block. The main SonicWall is an NSA 2400 and is located at our corporate office with a Static Public IP. The remote SonicWall is a TZ 100 and is located in a branch office with a Dynamic Public IP. Both devices have been configured in Aggressive Mode.

Here is a summary of the configurations:

Corporate Office NSA 2400
Public IP: 1.2.3.4
Lan IP: 10.10.1.1/24
Our Exchange Server is 10.10.1.2

Branch Office TZ 100
Public IP: Dynamic
Lan IP: 10.10.3.1/24

I have configured the Corporate SonicWall with an Address Object for the Branch Office and vice versa for the Branch SonicWall. I have also made sure the VPN Policies have the correct Device ID's.

The VPN Tunnel shows that it is established on both SonicWall's and I am able to ping any of the corporate computers from the Branch Office using the IP Addresses. However, I am unable to ping any of the Corporate computers from the Branch Office using the computer names and I cannot ping any of the computers in the Branch Office from the Corporate Office. So basically I have one-way connectivity. I think this is the reason why I am unable to connect to Exchange from the Branch Office.

Any clues as to why I cannot ping from the Corporate Office or connect to Exchange?

Thank you in advance!
0
Comment
Question by:circuits2
  • 6
  • 5
  • 4
  • +1
19 Comments
 

Author Comment

by:circuits2
ID: 34152650
Sorry, forgot to mention that both SonicWall devices are running the latest Sonic EnhancedOS.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34152652
check your firewall rules vpn to lan on both ends.  if you had any misconfiguration on on the SAs on either end then the tunnel would not come up.  the other thought i have is if you perhaps have a rogue route on the 240 that's preventing the traffic from traversing the vpn.
0
 

Author Comment

by:circuits2
ID: 34152719
Thanks for your response digitap!

I checked both devices and there is an entry to allow all traffic from VPN-LAN, LAN-VPN, and VPN-VPN.

One other odd thing that I just found out is that I can ping the LAN address of the Branch Office from the Corporate Office, but still cannot ping any other LAN addresses in the Branch Office.
0
 
LVL 6

Expert Comment

by:ahdfx
ID: 34152760
Remember when pinging by computer names that you need use the FQDN unless you have allowed Netbios translations over the VPN.

Also can you clarify what You can ping via IPA?

As far as pinging the computers in the branch office, is the Computer Firewall active?

I would focus on getting the Branch offices to be able to Ping the Exchange server 1st.
0
 

Author Comment

by:circuits2
ID: 34152796
Thank you for the response ahdfx!

If I ping from the Branch Office using the IP Address I am successful. I have tried pinging using just the computer name as well as the FQDN and was unsuccessful.

From the Branch Office I can ping any IP Address on the Corporate Subnet. I cannot ping using anything other than the IP Address.

From the Corporate Office I can ping the LAN IP of the Branch SonicWall but no other IP's.

The Computer Firewalls are active but I have even tried turning them off to no avail.

I can ping the Exchange Server from the Branch PC's, but Outlook says a connection to Exchange is not available.
0
 
LVL 6

Expert Comment

by:ahdfx
ID: 34152813
What are the DNS servers for the Branch Office PC's?
0
 

Author Comment

by:circuits2
ID: 34152852
The Branch Office DNS Servers are Dynamically Assigned by the ISP. I tried setting the DNS servers to Static and added the Corporate DNS as Primary but still got the same results.

Something is preventing DNS or NetBIOS information from getting back to the Branch Office from the Corporate Office. I just don't know what. All of the firewall policies are set to allow all traffic from Corporate to Branch.
0
 
LVL 6

Accepted Solution

by:
ahdfx earned 500 total points
ID: 34152944
You know, aside for the ping test, since corp gives you a response from the branch try this.

On one of the Branch PC's add the Exchange server to the Hosts file
c:\windows\system32\drivers\etc\hosts

flush the DNS cache. and try the exchange connection.  Is the Domain the Exchange server is on a Private one?  IE myDomain.local?  or Public?  MyDomain.com
0
 
LVL 33

Expert Comment

by:digitap
ID: 34154840
alternatively, add a doamin prefix registration in the tcp ip settings of a host.  this will allow fqdn resolution.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 15

Expert Comment

by:getzjd
ID: 34157503
You don't have any other gateways at either site do you?  Is your default gateway at each site your sonicwall?

When you send a ping, look in the sonicwall logs of both firewalls, you should are looking for something like ICMP packet dropped due to policy.

When you setup your source and destination networks on the VPN tunnel, what did you set (did you set ranges or an actual network like 192.168.1.0 255.255.255.0 ?  Are you trying to route all internet traffic from the branch site back across to the HQ then out that firewall?  If so, that setup takes a few more steps.    If you are not wanting to send internet traffic across the VPN to HQ, make sure you do not have  the "any address"  radio button checked in your network settings of the sonicwall.    


On the advanced tab on both endes make sure you have enable keep alive checked

With a dynamic ip, you may want to setup Dynamic DNS under the Network settings in case your IP changes.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34157530
The other thing you can do that is helpful is to enable WAN management of the firewall to allow you to access that sonicwall remotely, however once you do, you should go in and restrict the firewall rules to specific IPs on the internet that can manage it.  For example, set the static ip of your HQ and maybe your house (if you have a static) .  This will allow you to troubleshoot and connect to the firewall if things like RDP or VPN are not working, yet block out the rest of the world from trying to hack the admin interface.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34159416
changing the default https port to something other than the default 443, will help too.  you'll have to change the port any way if your redirecting port 443 for a secure server or exchange.
0
 

Author Closing Comment

by:circuits2
ID: 34161586
Thank you to all who posted suggestions. I modified the host file on one of the Branch PC's to include the LAN IP of the Exchange server. Now everything works as it should.

For further clarification, I added the following entries to the C:\Windows\System32\Drivers\etc\hosts file:

10.10.1.2        mail.mycompany.com
10.10.1.2        myservername.mycompany.com


Thanks again!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34161593
so, whenever your server name changes you're going to update hosts files on all your workstations?  also, shouldn't the MX record also resolve externally?
0
 

Author Comment

by:circuits2
ID: 34161630
digitap,

I know it sounds absurd to modify the host file on each workstation, but there will never be more than 5 computers in this branch office. I can live with changing hosts files until another solution can be found.

The MX record can be resolved externally, but does not need to be resolved externally from inside the Branch office as long as the Site-to-Site is active. I understand this is going to create a single point of failure, but it is only a temporary fix until a permanent solution can be found.
0
 
LVL 6

Expert Comment

by:ahdfx
ID: 34161634
The Branch Office PC's should either have their own local DSN server that gets updates from the Corp DNS server, or they just need to use the Corp DNS server for all DNS resolution.

Only problem with the 2nd option is is the VPN is down, branch office PC cannot even get to the internet.

Glad the Hosts file works.  Sounds like the Branch office PC were going over the internet to get to Corp and Corp was answering back on the VPN.  

The Hosts file is not bad, but like digitap states, if there are any changes on the Domain, you need to update all the Hosts files.

This is something you could handle with a bat file of script if you had to.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34161637
I would not have taken the route of modifying the hosts file.  That should only be used in very, very specific situations.  May the force of network maintenance and upkeep be with you :-)
0
 
LVL 33

Expert Comment

by:digitap
ID: 34161644
you picked up on my point well enough.  as long as you understand the cons of a host file solution and it fits your particular scenario, then i won't worry about it...>GRIN<!
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34161646
The remote office computers should definitely be pointing to the HQ office for DNS resolution.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now