Solved

SonicWALL Global VPN Client Issue: Could not find domain controller for this domain

Posted on 2011-09-02
21
5,593 Views
Last Modified: 2016-01-22
Hi guys.

I'm having an issue that I need to resolve ASAP. I've been up till 3am trying to figure out whats wrong, hope you can help.

I'm trying to connect a Windows 7 Enterprise Client to a 2008 R2 Domain Controller via VPN
using SonicWALL GVC v4.2.6.0305, RADIUS and DHCP pass through

I am able to connect to the router, authenticate using domain user credentials, and recieve correct IP, Gateway and DNS

But I am unable to ping any ip on the domain network except the gateway

Here is a sample log for the SonicWALL client:
 01:57:14:821	<local host>	The connection "xxxxx.net" has been enabled.
 01:57:17:535	xxx.59.13.178	Starting ISAKMP phase 1 negotiation.
 01:57:17:675	xxx.59.13.178	Starting aggressive mode phase 1 exchange.
 01:57:17:675	xxx.59.13.178	NAT Detected: Local host is behind a NAT device.
 01:57:17:675	xxx.59.13.178	The SA lifetime for phase 1 is 28800 seconds.
 01:57:17:675	xxx.59.13.178	Phase 1 has completed.
 01:57:17:784	xxx.59.13.178	Received XAuth request.
 01:57:17:784	xxx.59.13.178	XAuth has requested a username but one has not yet been specified.
 01:57:17:784	xxx.59.13.178	Sending phase 1 delete.
 01:57:17:784	xxx.59.13.178	User authentication information is needed to complete the connection.
 01:57:17:816	<local host>	An incoming ISAKMP packet from xxx.59.13.178 was ignored.
 01:57:25:958	xxx.59.13.178	Starting ISAKMP phase 1 negotiation.
 01:57:26:192	xxx.59.13.178	Starting aggressive mode phase 1 exchange.
 01:57:26:192	xxx.59.13.178	NAT Detected: Local host is behind a NAT device.
 01:57:26:192	xxx.59.13.178	The SA lifetime for phase 1 is 28800 seconds.
 01:57:26:192	xxx.59.13.178	Phase 1 has completed.
 01:57:26:270	xxx.59.13.178	Received XAuth request.
 01:57:26:270	xxx.59.13.178	Sending XAuth reply.
 01:57:26:286	xxx.59.13.178	Received initial contact notify.
 01:57:26:364	xxx.59.13.178	Received XAuth status.
 01:57:26:364	xxx.59.13.178	Sending XAuth acknowledgement.
 01:57:26:364	xxx.59.13.178	User authentication has succeeded.
 01:57:26:442	xxx.59.13.178	Received request for policy version.
 01:57:26:442	xxx.59.13.178	Sending policy version reply.
 01:57:26:520	xxx.59.13.178	Received policy change is not required.
 01:57:26:520	xxx.59.13.178	Sending policy acknowledgement.
 01:57:26:520	xxx.59.13.178	The configuration for the connection is up to date.
 01:57:26:582	xxx.59.13.178	Starting ISAKMP phase 2 negotiation with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP.
 01:57:26:582	xxx.59.13.178	Starting quick mode phase 2 exchange.
 01:57:26:769	xxx.59.13.178	The SA lifetime for phase 2 is 28800 seconds.
 01:57:26:769	xxx.59.13.178	Phase 2 with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP has completed.
 01:57:27:019	<local host>	Renewing IP address for the virtual interface (00-60-73-2F-68-56).
 01:57:27:518	<local host>	The virtual interface has been added to the system with IP address 172.20.40.122.
 01:57:27:596	<local host>	The system ARP cache has been flushed.
 01:57:27:674	xxx.59.13.178	NetWkstaUserGetInfo returned: user: klamsr, logon domain: XXXXX, logon server: SKLA-DC01
 01:57:42:306	xxx.59.13.178	NetGetDCName failed: Could not find domain controller for this domain.

Open in new window


I then made a reservation on the DHCP to give a specific IP to the VPN virtual MAC, and the connection went through, and I could ping and see all network computers, heres is the log:
  02:00:58:902	<local host>	The connection "xxxxx.net" has been enabled.
 02:01:01:663	xxx.59.13.178	Starting ISAKMP phase 1 negotiation.
 02:01:01:788	xxx.59.13.178	Starting aggressive mode phase 1 exchange.
 02:01:01:788	xxx.59.13.178	NAT Detected: Local host is behind a NAT device.
 02:01:01:788	xxx.59.13.178	The SA lifetime for phase 1 is 28800 seconds.
 02:01:01:788	xxx.59.13.178	Phase 1 has completed.
 02:01:01:866	xxx.59.13.178	Received XAuth request.
 02:01:01:866	xxx.59.13.178	XAuth has requested a username but one has not yet been specified.
 02:01:01:866	xxx.59.13.178	Sending phase 1 delete.
 02:01:01:866	xxx.59.13.178	User authentication information is needed to complete the connection.
 02:01:01:913	<local host>	An incoming ISAKMP packet from xxx.59.13.178 was ignored.
 02:01:08:433	xxx.59.13.178	Starting ISAKMP phase 1 negotiation.
 02:01:08:652	xxx.59.13.178	Starting aggressive mode phase 1 exchange.
 02:01:08:652	xxx.59.13.178	NAT Detected: Local host is behind a NAT device.
 02:01:08:652	xxx.59.13.178	The SA lifetime for phase 1 is 28800 seconds.
 02:01:08:652	xxx.59.13.178	Phase 1 has completed.
 02:01:08:714	xxx.59.13.178	Received XAuth request.
 02:01:08:714	xxx.59.13.178	Sending XAuth reply.
 02:01:08:730	xxx.59.13.178	Received initial contact notify.
 02:01:08:808	xxx.59.13.178	Received XAuth status.
 02:01:08:808	xxx.59.13.178	Sending XAuth acknowledgement.
 02:01:08:808	xxx.59.13.178	User authentication has succeeded.
 02:01:08:886	xxx.59.13.178	Received request for policy version.
 02:01:08:886	xxx.59.13.178	Sending policy version reply.
 02:01:08:964	xxx.59.13.178	Received policy change is not required.
 02:01:08:964	xxx.59.13.178	Sending policy acknowledgement.
 02:01:08:964	xxx.59.13.178	The configuration for the connection is up to date.
 02:01:09:042	xxx.59.13.178	Starting ISAKMP phase 2 negotiation with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP.
 02:01:09:042	xxx.59.13.178	Starting quick mode phase 2 exchange.
 02:01:09:198	xxx.59.13.178	The SA lifetime for phase 2 is 28800 seconds.
 02:01:09:198	xxx.59.13.178	Phase 2 with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP has completed.
 02:01:09:369	<local host>	Renewing IP address for the virtual interface (00-60-73-2F-68-56).
 02:01:11:616	<local host>	The virtual interface has been added to the system with IP address 172.20.40.200.
 02:01:11:725	<local host>	The system ARP cache has been flushed.
 02:01:11:943	xxx.59.13.178	NetWkstaUserGetInfo returned: user: klamsr, logon domain: XXXXX, logon server: SKLA-DC01
 02:01:26:950	xxx.59.13.178	NetGetDCName failed: Could not find domain controller for this domain.
 02:01:31:022	xxx.59.13.178	NetUserGetInfo returned: home dir: F:, remote dir: \\kla-dc-01\martin, logon script: logon.bat

Open in new window


As you can see in the last line it resolved the homedir, but after disconnecting and connecting again the problem returned
0
Comment
Question by:Masterrer
21 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 36473267
What's handing out IPs? It's possible that the GVC is getting an IP that's already been assigned. On the 2008 server, go into the DHCP console, expand the server and right-click IPv4 selecting Properties. Click the Advanced tab and made sure the conflict detection number is greater than 0 and less than 6. This is the number of pings it attempts before assigning an IP or not.

I use the sonicwall to hand out IP for this reason. It's always worked well for me. Here is an article I wrote on setting that up.

http://bit.ly/py3pvP
0
 

Author Comment

by:Masterrer
ID: 36473426
The Doimain Controller s handing out IPs,
As I've mentioned I made a rule to hand out a specific IP to the client, that is out of the dhcp scope, so I could rule out conflicts.

Maybe I need to do a packet trace? Any advice on how that is done?
0
 

Author Comment

by:Masterrer
ID: 36473660
So I installed Wireshark, connected to the VPN and captured some packets.

And what do you know, the ping went through, and all was working as it should, here's a sample packet:
No.     Time        Source                Destination           Protocol Length Info
    210 502.848256  172.20.40.200         172.20.40.10          DNS      80     Standard query A SKLA-DC01.xxxxxx.net

Frame 210: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: Redcreek_2f:68:56 (00:60:73:2f:68:56), Dst: AsustekC_c3:b8:c8 (bc:ae:c5:c3:b8:c8)
Internet Protocol Version 4, Src: 172.20.40.200 (172.20.40.200), Dst: 172.20.40.10 (172.20.40.10)
User Datagram Protocol, Src Port: 63820 (63820), Dst Port: domain (53)
Domain Name System (query)
    [Response In: 212]
    Transaction ID: 0x0059
    Flags: 0x0100 (Standard query)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        SKLA-DC01.xxxxxx.net: type A, class IN
            Name: SKLA-DC01.xxxxxx.net
            Type: A (Host address)
            Class: IN (0x0001)

No.     Time        Source                Destination           Protocol Length Info
    211 502.854895  172.20.40.10          172.20.40.200         DNS      96     Standard query response A 172.20.40.10

Frame 211: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Redcreek_2f:68:57 (00:60:73:2f:68:57), Dst: Redcreek_2f:68:56 (00:60:73:2f:68:56)
Internet Protocol Version 4, Src: 172.20.40.10 (172.20.40.10), Dst: 172.20.40.200 (172.20.40.200)
User Datagram Protocol, Src Port: domain (53), Dst Port: 63843 (63843)
Domain Name System (response)
    [Request In: 209]
    [Time: 0.008122000 seconds]
    Transaction ID: 0x10a5
    Flags: 0x8580 (Standard query response, No error)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Queries
        SKLA-DC01.xxxxxx.net: type A, class IN
            Name: SKLA-DC01.xxxxxx.net
            Type: A (Host address)
            Class: IN (0x0001)
    Answers
        SKLA-DC01.xxxxxx.net: type A, class IN, addr 172.20.40.10
            Name: SKLA-DC01.xxxxxx.net
            Type: A (Host address)
            Class: IN (0x0001)
            Time to live: 1 hour
            Data length: 4
            Addr: 172.20.40.10 (172.20.40.10)

Open in new window



Confused as hell, I disconnected from VPN and connected again, and no network, no ping, nothing:
No.     Time        Source                Destination           Protocol Length Info
    133 30.920716   172.20.40.200         172.20.40.10          DNS      80     Standard query A kla-dc-01.xxxxxx.net

Frame 133: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: Redcreek_2f:68:56 (00:60:73:2f:68:56), Dst: AsustekC_c3:b8:c8 (bc:ae:c5:c3:b8:c8)
Internet Protocol Version 4, Src: 172.20.40.200 (172.20.40.200), Dst: 172.20.40.10 (172.20.40.10)
User Datagram Protocol, Src Port: 64712 (64712), Dst Port: domain (53)
Domain Name System (query)
    Transaction ID: 0xfbef
    Flags: 0x0100 (Standard query)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        kla-dc-01.xxxxxx.net: type A, class IN
            Name: kla-dc-01.xxxxxx.net
            Type: A (Host address)
            Class: IN (0x0001)

No.     Time        Source                Destination           Protocol Length Info
    144 34.929738   172.20.40.200         172.20.40.10          DNS      80     Standard query A kla-dc-01.xxxxxx.net

Frame 144: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: Redcreek_2f:68:56 (00:60:73:2f:68:56), Dst: AsustekC_c3:b8:c8 (bc:ae:c5:c3:b8:c8)
Internet Protocol Version 4, Src: 172.20.40.200 (172.20.40.200), Dst: 172.20.40.10 (172.20.40.10)
User Datagram Protocol, Src Port: 64712 (64712), Dst Port: domain (53)
Domain Name System (query)
    Transaction ID: 0xfbef
    Flags: 0x0100 (Standard query)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries
        kla-dc-01.xxxxxx.net: type A, class IN
            Name: kla-dc-01.xxxxxx.net
            Type: A (Host address)
            Class: IN (0x0001)

Open in new window

0
 
LVL 33

Expert Comment

by:digitap
ID: 36473825
Ah, I misunderstood. I thought assigning a static IP resolved the issue. As I read it again, I see where the issue persisted after the reconnect.

Once the VPN is connected, are you seeing anything in the sonicwall logs regarding dropped packets? I'll need to review the log information a little.
0
 

Author Comment

by:Masterrer
ID: 36474030
No, there is nothing about packet loss in the sonicwall logs.

If you need me to capture any specific packets say so, I will do my best.

Thanks
0
 
LVL 33

Expert Comment

by:digitap
ID: 36474118
Let's look at the sonicwall for the moment. What model of sonicwall do you have. Is it enhanced OS or standard? Are you up to date on the firmware? If so, what version are you using?
0
 
LVL 1

Expert Comment

by:wolwil
ID: 36475926
Just an observation but the request that succeeded was sent to DNS server called SKLA-DC01.xxxxxx.net and the one that failed went to DNS server called kla-dc-01.xxxxxx.net.  In the first paket capture you sent a DNS request and received a response right away but in the second pcap you sent 2 DNS requests with no response.  

Are you getting assigned 2 different DNS server settings via DHCP for your primary DNS?  Cuz it looks like on the first attempt your primary DNS was something other then the second connection and you might not have access to the second DNS server via the VPN.
0
 

Author Comment

by:Masterrer
ID: 36527160
Sonicwall PRO 4060
SonicOS Enhanced 4.2.1.0-20e
SonicROM 3.1.0.2
0
 

Author Comment

by:Masterrer
ID: 36527178
wolwil

I pinged both servers, and one time the pings went through and other time they didn't
I copied different parts of the log in mistake, the servernames should be the same

What I did notice though:
DHCP assigns 2 DNS servers, 172.20.40.10 and 172.20.1.10
When I do get a successful connection I can ping 172.20.40.10, but the other one returns an error

I can connect to the 172.20.40.10 with Microsoft Remote Desktop while on VPN
and the 172.20.40.10 sees the 172.20.1.10 server just fine, it can ping it and connect to it, but the VPN client itself can't


I have a feeling the whole issue is DNS related, but just cant' wrap my head around it...
0
 
LVL 33

Expert Comment

by:digitap
ID: 36527179
There are a couple of Early Release versions that I'd recommend you consider. Also, I assume you've tried to restart the sonicwall.
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 

Author Comment

by:Masterrer
ID: 36527233
Restarts do not help

I have little experience upgrading Sonicwall firmware, will I have to reconfigure it?
Because configuring it for the first time was a very long and painful process
0
 
LVL 33

Expert Comment

by:digitap
ID: 36527254
No. Upgrading is easy. You'll want to get a backup of the settings. You can do this (and should do this on a regular basis as a backup) under System > Settings. From here you can upload new firmware, settings and download settings. You also have the option of creating a current firmware backup that you can download. I typically only download the settings.

Then, download one of the firmware updates and upload it. You then boot from the new firmware using the current settings. DON'T select the factory defaults firmware.
0
 

Author Comment

by:Masterrer
ID: 36535756
I have updated the Firmware to 4.2.1.4-7e
it's the latest available to me.

I also notices that DHCP over VPN tab had a Relay IP address (giaddr) populated.
After much research I am certain that my setup should work withot Relay IP, just plain forwarding DHCP requests to the Domain Controller, so I disabled it.

No the Sonicwall VPN Client fails to acquire any IP address.
0
 
LVL 33

Assisted Solution

by:digitap
digitap earned 100 total points
ID: 36536488
OK, the next thing i would try is setting up my GVC hosts with a different subnet and DHCP server. Currently, I use the sw to provide IP to my GVC hosts. If I already have a client using the WLAN zone for wireless, then I use that interface. If they don't, then I configure it. I have created a EE article on how to set this up. Review it and see if it's something you might want to consider. If so, I can help you with the setup.


http://rdsrc.us/sQzMI8
0
 

Accepted Solution

by:
Masterrer earned 0 total points
ID: 36542963
I finally found the solution, if anyone has similar issues, go to
Users -> Local Users -> Expand All Radius Users -> Click Configure next to Trusted Users -> Select the VPN Access tab and select ONLY the networks that VPN users should have access to, this includes any LOCAL network that may be part of other VPNs

My settings include:
Firewalled Subnets
custom Old Local Subnet (some legacy stuff runing on it that we haven't migrated yet)
custom VPN Group (includes all subnets that connect us to other offices)

Made extensive tests, everything is working perfectly

This document made me look in the right direction:
http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=3523
0
 

Author Closing Comment

by:Masterrer
ID: 36565429
Thanks digitap, for helping me track down the problem
0
 
LVL 33

Expert Comment

by:digitap
ID: 36543088
I'm confused. The Firewalled Subnets group should have been enough. Did it not include the subnets that are in the other two address objects/groups?

BTW, thanks for the points and glad you got it! These things can be very frustrating when the solution seems so simple.
0
 

Author Comment

by:Masterrer
ID: 36547981
No, the additional subnets were not included in the Firewalled Subnets goup.

I don't know how sonicwall defines firewalled subnets, but in my case this group only included X1 and X2 interface subnets
0
 
LVL 33

Expert Comment

by:digitap
ID: 36549323
I see. I believe that if those groups were assigned an interface, then they would have been included in the Firewalled Subnets group. I think it literally means whatever networks are being protected by the sonicwall will be in that group. This would include the interfaces. I assume the address groups were merely there for routes you setup on the sonicwall, correct?
0
 
LVL 33

Expert Comment

by:digitap
ID: 36567521
That was sure nice...thanks for the points!
0
 

Expert Comment

by:michaelcarrcpa
ID: 41427618
As dumb as I may have been, I figured out why I coulldnt find the domain controller. Under the client tab for virtual adapter settings, I had NONE as the option. As soon as I chose DHCP Lease or ManualConfiguration, I was getting IP addresses. DUH
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now