?
Solved

Can not see subnets across sonicwall Site to Site VPN

Posted on 2011-03-16
12
Medium Priority
?
953 Views
Last Modified: 2012-05-11
I have a small network in which there is a Dell Powerconnect switch acting as the default gateway.  On the switch there are two vlans 192.168.10.0/24 and 192.168.0.0/24; the 10 network is for ip phones and the other for data.  The data network is a windows network with a SBS 2008 controlling DHCP and DNS.  The SBS server IP is 192.168.0.2 and the dell switch on data vlan is 192.168.0.254.  The SBS DHCP scope is set to use the dell switch as the default gateway and SBS is also statically set to use the dell switch as the gateway.  The router to the internet is a sonicwall TZ 210 with a lan IP of 192.168.0.1.  Oh yeah, there is a route set on the dell switch (0.0.0.0 0.0.0.0 192.168.0.1).  Everything works internally in the office between the vlans (there is a phone server at 192.168.10.10) and I can from 192.168.0.2 to 192.168.10.10 and vice versa.

The problem I am having is when I add a remote site connected with a site to site vpn from another sonicwall TZ180 i can not see either subnet.  The subnet of the remote site is 192.168.1.0/24.  The site to site is up and I can ping from the remote site to 192.168.0.1 but no where else.  I also noticed if i change the statically assigned gateway on the SBS then I can ping it from the remote site (seems anything on the data subnet with default gateway set to 192.168.0.1 responds to pings from the remote subnet).  I have not been able to ping the dell switch at 192.168.0.254 from the remote site.

The entire goal here is to get an IP phone working on the remote site which really just means it needs to see 192.168.10.10.

The Dell switch is where my expertise is a little lacking (this was set up by the phone vendor).  i have access to it and have been able to play around with setting up routes and vlans but I am not that familiar with it.  Dell switch is PowerConnect 6224p
0
Comment
Question by:jcwilets
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 13

Accepted Solution

by:
kdearing earned 1500 total points
ID: 35153319
Make sure you add the other end subnet(s) to the Sonicwall as a trusted network.
0
 

Author Comment

by:jcwilets
ID: 35153402
All subnets are added to the sonicwall as trusted subnets.  What I just cant get over is that I can not ping the dell switch from the remote site, just doesnt make sense.  I have tried playing around with static routes on the sonicwall but just ran into dead ends.  I have set up several site to site vpns with sonicwalls with multiple subnets so i am stuck thinking it is the dell switch.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35153654
You may need to go into the security policies and specifically allow traffic between those subnets.
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 

Author Comment

by:jcwilets
ID: 35156045
I actually tried that too.  I know I am missing something simple but I just keep missing it.  The subnets can see each other and i think the key is something to do the switch being the default gateway.  I cant explain why I can ping the SBS at 192.168.0.2 from the remote site when its default gateway is 192.168.0.1 and cannot ping it when its gateway is 192.168.0.254.  
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35157894
Definitely looks like a problem with the Dell's routing

On the Dell switch, double-check:
Default gateway; should be 192.168.0.1
Subnet mask; should be 255.255.255.0
0
 

Author Comment

by:jcwilets
ID: 35160415
Here is the Dell config.  Any thoughts on this would be appreciated:

!Current Configuration:
!System Description "PowerConnect 6224P, 2.2.0.3, VxWorks5.5.1"
!System Software Version 2.2.0.3
!
configure
vlan database
vlan  2,10,99,254
vlan association subnet 192.168.65.0 255.255.255.0 65
exit
stack
member 1 4
exit
ip address 192.168.99.254 255.255.255.0
ip default-gateway 192.168.99.254
ip address vlan 99
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
bootpdhcprelay enable
bootpdhcprelay serverip 192.168.0.2
ip helper-address 192.168.10.254 192.168.0.2 37
ip helper-address 192.168.10.254 192.168.0.2 49


ip helper-address 192.168.10.254 192.168.0.2 137
ip helper-address 192.168.10.254 192.168.0.2 138
ip helper-address 192.168.254.1 192.168.254.254 37
ip helper-address 192.168.254.1 192.168.254.254 49
ip helper-address 192.168.254.1 192.168.254.254 137
ip helper-address 192.168.254.1 192.168.254.254 138
interface vlan 1
routing
ip address  192.168.0.254  255.255.255.0
no ip proxy-arp
exit
interface vlan 2
name "vpn"
routing
ip address  192.168.1.254  255.255.255.0
no ip proxy-arp
exit
interface vlan 10
name "ShoreTel"
routing
ip address  192.168.10.254  255.255.255.0


no ip proxy-arp
exit
interface vlan 99
name "Management"
exit
interface vlan 254
name "P2P"
routing
ip address  192.168.254.1  255.255.255.0
no ip proxy-arp
exit
username "admin" password b40b6ccca3e502d00861995886ef5b31 level 15 encrypted
!
interface ethernet 1/g1
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g2
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g3
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g4
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g5
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit


!
interface ethernet 1/g6
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g7
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g8
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g9
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g10
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g11
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g12
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit


!
interface ethernet 1/g13
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g14
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g15
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g16
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g17
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g18
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g19
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g20
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g21
no negotiation
speed 100
spanning-tree disable
spanning-tree portfast
switchport mode general
switchport general pvid 254
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 254
switchport general allowed vlan remove 1
exit


!
interface ethernet 1/g23
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g24
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
exit
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35161117
You have the sollowing in your config:

    ip default-gateway 192.168.99.254
    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.0.1

The default-gateway statement should be removed.
If ip routing is enabled, you should use a "gateway of last resort" (ip route 0.0.0.0 0.0.0.0 x.x.x.x) instead.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml
0
 

Author Comment

by:jcwilets
ID: 35162333
thanks, will give a try tomorrow and let you know
0
 

Author Comment

by:jcwilets
ID: 35182402
sorry for the delay.  This did not work.  If I remove the ip routing statement all traffic on the switch stops
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35189590
Remove this:

    ip default-gateway 192.168.99.254

Keep these:

    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.0.1

0
 

Author Comment

by:jcwilets
ID: 35192887
tried that too and it didnt work.  Think I need to take a step back a start over.  I have been trying too many things and think I am stepping on top of myself.  One thing I did try with success was set up the IPsec VPN client for the sonicwall.  When the VPN connects it gets a DHCP address from the SBS so it is on the same subnet.  The I add a static route on the sonicwall for the vpn traffic going to 192.168.10.0/24 to point to 192.168.0.254 and it works.  Point is I still think it is the dell configuration that is the problem
0
 

Author Closing Comment

by:jcwilets
ID: 35209577
Well I got it figured out.  I decided to just start over.  So I erased any of the configuration changes to the Dell and completely removed the VPN in the sonicwall.  Set up the sonicwall VPN from scratch and added routes for the other subnet from the VPN.  This is all it took - noconfiguration changes on the dell switch.  I thought I had done this before but guess not.  Anyway I awarded the points since you first suggested to check the sonicwall and that is indeed where the problem was
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question