• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

Have to PING to establish connection to other side of the VPN Tunnel


I have two physical sites. Site A and Site B. Both sites have different Private IP schemes. Site A has Domain Controller + Exchange Server 2003 and also has an ISA 2006 server. Site B also has an ISA 2006 server. The ISA server's in both sites make a PPTP site to site VPN. However, Site A actually has a SonicWALL device which is default gateway for all LAN. So for VPN, a reverse route has been added onto SonicWALL.

For some strange reason, everyday, any domain user that starts her work in Site B, has to PING the server before her Outlook can get connected to the Exchange Server. Similar is the case for any other server. First PING, then any other transport will follow, like Remote Desktop etc.

Just cannot understand what is wrong here. DNS, suffixes etc. is all fine and working.

Please help me understand this scenario.
Ghayur Abbas
Ghayur Abbas
1 Solution
Suliman Abu KharroubIT Consultant Commented:
does nslookup returns answers from site B ?
Some devices will drop the VPN due ti inactivity. I recommend checking for a VPN keep-alive or timeout setting. The VPN will be re-established automatically but unless you have a pay-per-usage connection there's not much reason to let it drop.
Keith AlabasterEnterprise ArchitectCommented:
A quick alternative would be to setup a connectivity verifier in the ISA gui that checks for the service availability. This is also often used as the keepalive packet.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Ghayur AbbasTechnical HeadAuthor Commented:
NSLookup (when done from Site B) does return results from site A. Reverse isnt' required as the main AD, DNS and Exchange are in Site A. We have an ADC in Site B configured with DNS Secondary zone. That is not an issue.

See, when I do e.g. "ping DC.SiteA.com" from Site B, it immediately works and returns results. Along with the results, outlook starts working as well. I have tested it even after doing "IPConfig /flushdns".

The timeout settings for Dial In and PPTP are both set to "NEVER". That should not be an issue to.

Note that earlier, we have been using IPSec VPN Tunnel and such issue didn't exist.

We discarded IPSec for some reason.

Keith AlabasterEnterprise ArchitectCommented:
Of course it wouldn't - IPsec has its own keepalive.
Ghayur AbbasTechnical HeadAuthor Commented:
Thanks all for the support. I figured out this was because of SonicWALL. So, for the DC and other critically required servers, I added a persistent static route on each of them. This way, any client's (Outlook) packet coming from Site B to DC (in Site A) does not have to get routed thru SonicWALL on its way back to Site B.
Ghayur AbbasTechnical HeadAuthor Commented:
Because none of the answers were applicable to my scenario and I found the solution completely on my own.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now