Link to home
Create AccountLog in
Avatar of Ross_at_CSL
Ross_at_CSLFlag for Canada

asked on

RAS client inside Sonicwall fails to connect to RAS server outside.

We have a customer who is letting us access thier network in order to support thier sites over their wan.  They have provided us with a user name and password for this.  When I set up the VPN Network connection from the wiindows control panel and make the connection through a Linksys "home" router it works perfectly.  If I change my connection to the Sonicwall TZ190 firmware version SonicOS Enhanced all I ever get is failed authentications.  

I have to admit that the Sonicwall setup is a bit beyond my comfort zone.  I have poked around policies and I beleive that what i need is there but I am not too sure...

I did do two wireshark captures, one with each router connection to try to compare the two.  There isn't much difference between them except for the failure response on the one vs the accepted responce to CHAP.  There is more in there that I am missing.

I have explored the MTU size solution I found on this site but I believe that our customer would have to adjust thier settings in order to make that a valid test.  Is that correct?

Anybody have any ideas as to what to try?    Capture files availble on request.
Avatar of MidnightOne
Flag of United States of America image

When you're setting up the VPN, I presume you're using windows authentication and passing it through to their DC as you use an RDP session?

If that's the case, try manually setting the client use PPTP. I've had to do that for all connections to SonicWall clients.
Avatar of Ross_at_CSL


It did not help.  Looking at the packet capture I see where the two sides negotiate and settle on a PTPP connection.  Then it tries the authentication and it fails.

Please note that I am NOT trying to connect INTO a sonicwall firewall, I am trying to connect out through one.
The TZ190 does have a wizard for creating VPN connections like you're seeking; have you tried using the wizard to set up the connection type?
This is starting to get clearer to me.  This is the reply from thier server to the authentication when connected through the firewall.

Message: E=691 R=1 C=63BFC7AAFEE440C25A6D20FDE1CF3BDC V=3

Bad unsername or password.  BUT the same username and password WORK out through the Linksys.  I just reverified that.
That is... odd. Perhaps you need to add the domain name to the logon?
Avatar of MidnightOne
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
We might be on to something here.
Chap Challenge with Linksys
PPP CHAP      Challenge (NAME='INFO-VP1', VALUE=0x2FB697830290AA98577FBA9A09D77366)
Chap Challenge with Sonicwall
PPP CHAP      Challenge (NAME='SOLUTIONS', VALUE=0xEEC777F785D7A939FBFD31D8D35447ED)

INFO-VP1 is our customer's Rem.Acc. Server.  SOLUTIONS is ours.  The packet is marked as coming FROM our customers IP, not ours.

Is the Sonicwall Reflecting the VPN connection BACK into our own server?
BTW, this was helpful because this is the packet right before the client transmits the user name and password WITH the domain.  You made me take a second look to discover that we might be hitting the wrong domain.
Found the problem.  Someone (I think it was our support contractor) had created a NAT loopback policy inside our Sonicwall that did point our connection back at our server.  Infact there were 4 of them, 3 enabled.  Once disabled the connection was made to our customer.
Thanks for making me look more closely at what I had.

Now to figure out why there were there and what we have that is no longer working because I turned them off.