Solved

Can not see subnets across sonicwall Site to Site VPN

Posted on 2011-03-16
12
933 Views
Last Modified: 2012-05-11
I have a small network in which there is a Dell Powerconnect switch acting as the default gateway.  On the switch there are two vlans 192.168.10.0/24 and 192.168.0.0/24; the 10 network is for ip phones and the other for data.  The data network is a windows network with a SBS 2008 controlling DHCP and DNS.  The SBS server IP is 192.168.0.2 and the dell switch on data vlan is 192.168.0.254.  The SBS DHCP scope is set to use the dell switch as the default gateway and SBS is also statically set to use the dell switch as the gateway.  The router to the internet is a sonicwall TZ 210 with a lan IP of 192.168.0.1.  Oh yeah, there is a route set on the dell switch (0.0.0.0 0.0.0.0 192.168.0.1).  Everything works internally in the office between the vlans (there is a phone server at 192.168.10.10) and I can from 192.168.0.2 to 192.168.10.10 and vice versa.

The problem I am having is when I add a remote site connected with a site to site vpn from another sonicwall TZ180 i can not see either subnet.  The subnet of the remote site is 192.168.1.0/24.  The site to site is up and I can ping from the remote site to 192.168.0.1 but no where else.  I also noticed if i change the statically assigned gateway on the SBS then I can ping it from the remote site (seems anything on the data subnet with default gateway set to 192.168.0.1 responds to pings from the remote subnet).  I have not been able to ping the dell switch at 192.168.0.254 from the remote site.

The entire goal here is to get an IP phone working on the remote site which really just means it needs to see 192.168.10.10.

The Dell switch is where my expertise is a little lacking (this was set up by the phone vendor).  i have access to it and have been able to play around with setting up routes and vlans but I am not that familiar with it.  Dell switch is PowerConnect 6224p
0
Comment
Question by:jcwilets
  • 7
  • 5
12 Comments
 
LVL 13

Accepted Solution

by:
kdearing earned 500 total points
ID: 35153319
Make sure you add the other end subnet(s) to the Sonicwall as a trusted network.
0
 

Author Comment

by:jcwilets
ID: 35153402
All subnets are added to the sonicwall as trusted subnets.  What I just cant get over is that I can not ping the dell switch from the remote site, just doesnt make sense.  I have tried playing around with static routes on the sonicwall but just ran into dead ends.  I have set up several site to site vpns with sonicwalls with multiple subnets so i am stuck thinking it is the dell switch.
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35153654
You may need to go into the security policies and specifically allow traffic between those subnets.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:jcwilets
ID: 35156045
I actually tried that too.  I know I am missing something simple but I just keep missing it.  The subnets can see each other and i think the key is something to do the switch being the default gateway.  I cant explain why I can ping the SBS at 192.168.0.2 from the remote site when its default gateway is 192.168.0.1 and cannot ping it when its gateway is 192.168.0.254.  
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35157894
Definitely looks like a problem with the Dell's routing

On the Dell switch, double-check:
Default gateway; should be 192.168.0.1
Subnet mask; should be 255.255.255.0
0
 

Author Comment

by:jcwilets
ID: 35160415
Here is the Dell config.  Any thoughts on this would be appreciated:

!Current Configuration:
!System Description "PowerConnect 6224P, 2.2.0.3, VxWorks5.5.1"
!System Software Version 2.2.0.3
!
configure
vlan database
vlan  2,10,99,254
vlan association subnet 192.168.65.0 255.255.255.0 65
exit
stack
member 1 4
exit
ip address 192.168.99.254 255.255.255.0
ip default-gateway 192.168.99.254
ip address vlan 99
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.0.1
bootpdhcprelay enable
bootpdhcprelay serverip 192.168.0.2
ip helper-address 192.168.10.254 192.168.0.2 37
ip helper-address 192.168.10.254 192.168.0.2 49


ip helper-address 192.168.10.254 192.168.0.2 137
ip helper-address 192.168.10.254 192.168.0.2 138
ip helper-address 192.168.254.1 192.168.254.254 37
ip helper-address 192.168.254.1 192.168.254.254 49
ip helper-address 192.168.254.1 192.168.254.254 137
ip helper-address 192.168.254.1 192.168.254.254 138
interface vlan 1
routing
ip address  192.168.0.254  255.255.255.0
no ip proxy-arp
exit
interface vlan 2
name "vpn"
routing
ip address  192.168.1.254  255.255.255.0
no ip proxy-arp
exit
interface vlan 10
name "ShoreTel"
routing
ip address  192.168.10.254  255.255.255.0


no ip proxy-arp
exit
interface vlan 99
name "Management"
exit
interface vlan 254
name "P2P"
routing
ip address  192.168.254.1  255.255.255.0
no ip proxy-arp
exit
username "admin" password b40b6ccca3e502d00861995886ef5b31 level 15 encrypted
!
interface ethernet 1/g1
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g2
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,99,254 tagged
exit
!
interface ethernet 1/g3
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g4
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g5
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit


!
interface ethernet 1/g6
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g7
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g8
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g9
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g10
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g11
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g12
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit


!
interface ethernet 1/g13
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g14
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g15
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g16
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g17
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g18
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g19
switchport mode general


no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g20
switchport mode general
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 2,10,254 tagged
exit
!
interface ethernet 1/g21
no negotiation
speed 100
spanning-tree disable
spanning-tree portfast
switchport mode general
switchport general pvid 254
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 254
switchport general allowed vlan remove 1
exit


!
interface ethernet 1/g23
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
!
interface ethernet 1/g24
switchport mode general
switchport general pvid 10
no switchport general acceptable-frame-type tagged-only
switchport general allowed vlan add 10
switchport general allowed vlan add 2,254 tagged
switchport general allowed vlan add 1 tagged
exit
exit
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35161117
You have the sollowing in your config:

    ip default-gateway 192.168.99.254
    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.0.1

The default-gateway statement should be removed.
If ip routing is enabled, you should use a "gateway of last resort" (ip route 0.0.0.0 0.0.0.0 x.x.x.x) instead.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml
0
 

Author Comment

by:jcwilets
ID: 35162333
thanks, will give a try tomorrow and let you know
0
 

Author Comment

by:jcwilets
ID: 35182402
sorry for the delay.  This did not work.  If I remove the ip routing statement all traffic on the switch stops
0
 
LVL 13

Expert Comment

by:kdearing
ID: 35189590
Remove this:

    ip default-gateway 192.168.99.254

Keep these:

    ip routing
    ip route 0.0.0.0 0.0.0.0 192.168.0.1

0
 

Author Comment

by:jcwilets
ID: 35192887
tried that too and it didnt work.  Think I need to take a step back a start over.  I have been trying too many things and think I am stepping on top of myself.  One thing I did try with success was set up the IPsec VPN client for the sonicwall.  When the VPN connects it gets a DHCP address from the SBS so it is on the same subnet.  The I add a static route on the sonicwall for the vpn traffic going to 192.168.10.0/24 to point to 192.168.0.254 and it works.  Point is I still think it is the dell configuration that is the problem
0
 

Author Closing Comment

by:jcwilets
ID: 35209577
Well I got it figured out.  I decided to just start over.  So I erased any of the configuration changes to the Dell and completely removed the VPN in the sonicwall.  Set up the sonicwall VPN from scratch and added routes for the other subnet from the VPN.  This is all it took - noconfiguration changes on the dell switch.  I thought I had done this before but guess not.  Anyway I awarded the points since you first suggested to check the sonicwall and that is indeed where the problem was
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question