?
Solved

Cannot Connect to Exchange via SonicWall Site-to-Site VPN

Posted on 2010-11-16
19
Medium Priority
?
1,282 Views
Last Modified: 2012-06-27
I am setting up a Site-to-Site VPN between two SonicWall appliances and have hit a minor road block. The main SonicWall is an NSA 2400 and is located at our corporate office with a Static Public IP. The remote SonicWall is a TZ 100 and is located in a branch office with a Dynamic Public IP. Both devices have been configured in Aggressive Mode.

Here is a summary of the configurations:

Corporate Office NSA 2400
Public IP: 1.2.3.4
Lan IP: 10.10.1.1/24
Our Exchange Server is 10.10.1.2

Branch Office TZ 100
Public IP: Dynamic
Lan IP: 10.10.3.1/24

I have configured the Corporate SonicWall with an Address Object for the Branch Office and vice versa for the Branch SonicWall. I have also made sure the VPN Policies have the correct Device ID's.

The VPN Tunnel shows that it is established on both SonicWall's and I am able to ping any of the corporate computers from the Branch Office using the IP Addresses. However, I am unable to ping any of the Corporate computers from the Branch Office using the computer names and I cannot ping any of the computers in the Branch Office from the Corporate Office. So basically I have one-way connectivity. I think this is the reason why I am unable to connect to Exchange from the Branch Office.

Any clues as to why I cannot ping from the Corporate Office or connect to Exchange?

Thank you in advance!
0
Comment
Question by:circuits2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +1
19 Comments
 

Author Comment

by:circuits2
ID: 34152650
Sorry, forgot to mention that both SonicWall devices are running the latest Sonic EnhancedOS.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34152652
check your firewall rules vpn to lan on both ends.  if you had any misconfiguration on on the SAs on either end then the tunnel would not come up.  the other thought i have is if you perhaps have a rogue route on the 240 that's preventing the traffic from traversing the vpn.
0
 

Author Comment

by:circuits2
ID: 34152719
Thanks for your response digitap!

I checked both devices and there is an entry to allow all traffic from VPN-LAN, LAN-VPN, and VPN-VPN.

One other odd thing that I just found out is that I can ping the LAN address of the Branch Office from the Corporate Office, but still cannot ping any other LAN addresses in the Branch Office.
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 6

Expert Comment

by:ahdfx
ID: 34152760
Remember when pinging by computer names that you need use the FQDN unless you have allowed Netbios translations over the VPN.

Also can you clarify what You can ping via IPA?

As far as pinging the computers in the branch office, is the Computer Firewall active?

I would focus on getting the Branch offices to be able to Ping the Exchange server 1st.
0
 

Author Comment

by:circuits2
ID: 34152796
Thank you for the response ahdfx!

If I ping from the Branch Office using the IP Address I am successful. I have tried pinging using just the computer name as well as the FQDN and was unsuccessful.

From the Branch Office I can ping any IP Address on the Corporate Subnet. I cannot ping using anything other than the IP Address.

From the Corporate Office I can ping the LAN IP of the Branch SonicWall but no other IP's.

The Computer Firewalls are active but I have even tried turning them off to no avail.

I can ping the Exchange Server from the Branch PC's, but Outlook says a connection to Exchange is not available.
0
 
LVL 6

Expert Comment

by:ahdfx
ID: 34152813
What are the DNS servers for the Branch Office PC's?
0
 

Author Comment

by:circuits2
ID: 34152852
The Branch Office DNS Servers are Dynamically Assigned by the ISP. I tried setting the DNS servers to Static and added the Corporate DNS as Primary but still got the same results.

Something is preventing DNS or NetBIOS information from getting back to the Branch Office from the Corporate Office. I just don't know what. All of the firewall policies are set to allow all traffic from Corporate to Branch.
0
 
LVL 6

Accepted Solution

by:
ahdfx earned 2000 total points
ID: 34152944
You know, aside for the ping test, since corp gives you a response from the branch try this.

On one of the Branch PC's add the Exchange server to the Hosts file
c:\windows\system32\drivers\etc\hosts

flush the DNS cache. and try the exchange connection.  Is the Domain the Exchange server is on a Private one?  IE myDomain.local?  or Public?  MyDomain.com
0
 
LVL 33

Expert Comment

by:digitap
ID: 34154840
alternatively, add a doamin prefix registration in the tcp ip settings of a host.  this will allow fqdn resolution.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34157503
You don't have any other gateways at either site do you?  Is your default gateway at each site your sonicwall?

When you send a ping, look in the sonicwall logs of both firewalls, you should are looking for something like ICMP packet dropped due to policy.

When you setup your source and destination networks on the VPN tunnel, what did you set (did you set ranges or an actual network like 192.168.1.0 255.255.255.0 ?  Are you trying to route all internet traffic from the branch site back across to the HQ then out that firewall?  If so, that setup takes a few more steps.    If you are not wanting to send internet traffic across the VPN to HQ, make sure you do not have  the "any address"  radio button checked in your network settings of the sonicwall.    


On the advanced tab on both endes make sure you have enable keep alive checked

With a dynamic ip, you may want to setup Dynamic DNS under the Network settings in case your IP changes.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34157530
The other thing you can do that is helpful is to enable WAN management of the firewall to allow you to access that sonicwall remotely, however once you do, you should go in and restrict the firewall rules to specific IPs on the internet that can manage it.  For example, set the static ip of your HQ and maybe your house (if you have a static) .  This will allow you to troubleshoot and connect to the firewall if things like RDP or VPN are not working, yet block out the rest of the world from trying to hack the admin interface.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34159416
changing the default https port to something other than the default 443, will help too.  you'll have to change the port any way if your redirecting port 443 for a secure server or exchange.
0
 

Author Closing Comment

by:circuits2
ID: 34161586
Thank you to all who posted suggestions. I modified the host file on one of the Branch PC's to include the LAN IP of the Exchange server. Now everything works as it should.

For further clarification, I added the following entries to the C:\Windows\System32\Drivers\etc\hosts file:

10.10.1.2        mail.mycompany.com
10.10.1.2        myservername.mycompany.com


Thanks again!
0
 
LVL 33

Expert Comment

by:digitap
ID: 34161593
so, whenever your server name changes you're going to update hosts files on all your workstations?  also, shouldn't the MX record also resolve externally?
0
 

Author Comment

by:circuits2
ID: 34161630
digitap,

I know it sounds absurd to modify the host file on each workstation, but there will never be more than 5 computers in this branch office. I can live with changing hosts files until another solution can be found.

The MX record can be resolved externally, but does not need to be resolved externally from inside the Branch office as long as the Site-to-Site is active. I understand this is going to create a single point of failure, but it is only a temporary fix until a permanent solution can be found.
0
 
LVL 6

Expert Comment

by:ahdfx
ID: 34161634
The Branch Office PC's should either have their own local DSN server that gets updates from the Corp DNS server, or they just need to use the Corp DNS server for all DNS resolution.

Only problem with the 2nd option is is the VPN is down, branch office PC cannot even get to the internet.

Glad the Hosts file works.  Sounds like the Branch office PC were going over the internet to get to Corp and Corp was answering back on the VPN.  

The Hosts file is not bad, but like digitap states, if there are any changes on the Domain, you need to update all the Hosts files.

This is something you could handle with a bat file of script if you had to.
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34161637
I would not have taken the route of modifying the hosts file.  That should only be used in very, very specific situations.  May the force of network maintenance and upkeep be with you :-)
0
 
LVL 33

Expert Comment

by:digitap
ID: 34161644
you picked up on my point well enough.  as long as you understand the cons of a host file solution and it fits your particular scenario, then i won't worry about it...>GRIN<!
0
 
LVL 15

Expert Comment

by:getzjd
ID: 34161646
The remote office computers should definitely be pointing to the HQ office for DNS resolution.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question