Link to home
Create AccountLog in
Avatar of mrjking2000
mrjking2000

asked on

Sonicwall Site to Site VPN with Pro 2040 and TZ170

Hey all, hope the holidays treated you well.

I have a site to site VPN that links up and negotiates, but I can't pass DNS traffic through bi-directionally.  I have read many other forum articles about setting up the DNS server IP on the remote site and have done that, NSLOOKUP returns the correct FQDN to the DNS server but I still can't route any traffic by DNS.

Here is my setup:
Main office:
LAN IPs 192.168.12.x
             255.255.255.0
DNS       192.168.12.9

Remote Site:
LAN IPs 10.10.10.x
             255.255.255.0
DNS      192.168.12.9
             8.8.8.8

The VPN is on and has been solid all day so far, but absolutely no DNS will pass.  I have enabled Netbios broadcast over the VPN on both ends too.

I am wondering if the remote site needs to be on the same subnet, but when I tried that I couldn't get the VPN to link up.

The main office has a SBS 08 server, active directory, DHCP and DNS on the server...your typical small business setup.  My point behind the Site to site is so the folks in the remote office can stop using the Global VPN Client (one less step) and the TZ170 was inexpensive!

I also need it when they log into their machines, they are really logging into active directory over the VPN...another reason for the site to site.

Any help is appreciated!
Thanks,
Avatar of ks_admin
ks_admin

Do their computers authenticate using Active Directory over your VPN?  Can the clients on the other side ping the DNS server?


Have you seen anything in the SonicWALL logs regarding the VPN?  It shouldn't matter what type of traffic it is, if your VPN is in the trusted zone.  Are you using Enhanced firmware, or Standard?


ks_admin
Avatar of mrjking2000

ASKER

Well the VPN is supposed to be deployed soon, so it is in testing mode now.  No actual client PCs have tried to login over the VPN, I am testing this from my house with my laptop, when I use the GVC software everything works fine, then when I bring up the site to site only traffic routes by IP.

Nothing unusual in the logs once the VPN connects up...the firmware is standard on both devices.
Avatar of Cas Krist
Can you do a NSLOOKUP to the DNS-server from the remote site?
Start nslookup form a command prompt and try to query the dns-server (192.168.12.9)
actually yes, NSLOOKUP resolves the FQDN back to the server, but still no DNS traffic is passing over the link for some reason.

Aggravating!  The cheaters way out is add the dns names in the hosts files of the laptops, but I'd like it to really route traffic the correct way.
Are you certain it's not just an issue with the laptop at home?  The GVC works a little differently than your site to site link would.  But it sounds like you have a grasp on the SonicWALL OS.  Do you only have a single subnet on each side, and are you using DHCP over VPN, or static addressing?  
okay I think you just touched on something I was struggling with, I can get around the OS real good, but when I tried to bring up the tunnel with the same subnet at both locations it wouldn't connect.  I don't know why, but everything in my head says that having 192.168.12.x at both locations wouldn't work.  Even though the DHCP ranges would be different, for whatever reason it wasn't connecting.

I also tried DHCP over VPN through the tunnel on the TZ170 settings and had to reset to get back into the sonicwall at the remote site.

Is it possible to configure the sites with the same subnet...

Like 192.168.12.x, 255.255.255.0; or should it be this,

main    192.168.12.0 255.255.0.0
remote 192.168.13.0 255.255.0.0

thanks,
I believe you need different subnets, otherwise a machine doesn't know when to send the traffic to the router/firewall.

When happens when you ping the FQDN of the server, and what happens when you ping -a <server ip>?
The sonicwall is the only router at the remote site? (and the other the only router on the main site?)
yes both site have only sonicwalls as the router.  The ping of the FQDN resolved nothing, and the ping -a on the server IP does not resolve the DNS of the server...even though NSLOOKUP does.
ASKER CERTIFIED SOLUTION
Avatar of Cas Krist
Cas Krist
Flag of Netherlands image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
sorry for the delay, dang holiday!

Here is the result:

Domain Name:       CASRV-01
DNS Server Used:       192.168.12.9
Resolved Address:

It doesn't resolve anything from the sonicwall too?  Is there something that should be opened in the firewall port wise to allow DNS traffic to flow?
wait, looking up the FQDN resolves back correctly.

Domain Name:       casrv-01.(mydomain).local
DNS Server Used:       192.168.12.9
Resolved Address:       192.168.12.9
Normally a VPN tunnel allows all traffic. Are there restrictions on the DNS-server?
Are you using SonicOS Standard or Enhanced?
this is sonicOS standard, I don't think there are DNS server restrictions.  It is a relatively new SBS 08 machine.

In the time between our chats here my windows 7 pro PC from home was able to successfully resolve the server name by short netbios name not the FQDN. But my XP pro laptop still won't work correctly.

I ping casrv-01 and it resolves nothing, i ping -a the IP 12.9 and it resolves back to the FQDN now, but accessing the server files by \\casrv-01\ in explorer doesn't bring anything up.  It will resolve folder list if you go \\casrv-01.(mydomain).local but none of the company laptops are configured to route by whole DNS name.

Interesting thing is my windows 7 pc was doing the same thing as the laptop and now magically it works.  All I did was some ping tests from inside the firewall like suggested.
actually I man have mis-stated that last line about DNS on the company laptops. I bet it will work now...I will drive down there today and snag a laptop and bring it back to the house.  There are still people on leave from the holiday so machines are available, when I log in...if I get network drive deployment then we're set.  If not...we will have to continue tweaking.
OK, let us know.
Thanks for the help, I installed the router in the remote site just this morning and everything came up as expected and the company laptops are communicating fine with the office.
Thanks for the points.