SonicWALL Global VPN Client Issue: Could not find domain controller for this domain
Hi guys.
I'm having an issue that I need to resolve ASAP. I've been up till 3am trying to figure out whats wrong, hope you can help.
I'm trying to connect a Windows 7 Enterprise Client to a 2008 R2 Domain Controller via VPN
using SonicWALL GVC v4.2.6.0305, RADIUS and DHCP pass through
I am able to connect to the router, authenticate using domain user credentials, and recieve correct IP, Gateway and DNS
But I am unable to ping any ip on the domain network except the gateway
Here is a sample log for the SonicWALL client:
I then made a reservation on the DHCP to give a specific IP to the VPN virtual MAC, and the connection went through, and I could ping and see all network computers, heres is the log:
As you can see in the last line it resolved the homedir, but after disconnecting and connecting again the problem returned
I'm having an issue that I need to resolve ASAP. I've been up till 3am trying to figure out whats wrong, hope you can help.
I'm trying to connect a Windows 7 Enterprise Client to a 2008 R2 Domain Controller via VPN
using SonicWALL GVC v4.2.6.0305, RADIUS and DHCP pass through
I am able to connect to the router, authenticate using domain user credentials, and recieve correct IP, Gateway and DNS
But I am unable to ping any ip on the domain network except the gateway
Here is a sample log for the SonicWALL client:
01:57:14:821 <local host> The connection "xxxxx.net" has been enabled.
01:57:17:535 xxx.59.13.178 Starting ISAKMP phase 1 negotiation.
01:57:17:675 xxx.59.13.178 Starting aggressive mode phase 1 exchange.
01:57:17:675 xxx.59.13.178 NAT Detected: Local host is behind a NAT device.
01:57:17:675 xxx.59.13.178 The SA lifetime for phase 1 is 28800 seconds.
01:57:17:675 xxx.59.13.178 Phase 1 has completed.
01:57:17:784 xxx.59.13.178 Received XAuth request.
01:57:17:784 xxx.59.13.178 XAuth has requested a username but one has not yet been specified.
01:57:17:784 xxx.59.13.178 Sending phase 1 delete.
01:57:17:784 xxx.59.13.178 User authentication information is needed to complete the connection.
01:57:17:816 <local host> An incoming ISAKMP packet from xxx.59.13.178 was ignored.
01:57:25:958 xxx.59.13.178 Starting ISAKMP phase 1 negotiation.
01:57:26:192 xxx.59.13.178 Starting aggressive mode phase 1 exchange.
01:57:26:192 xxx.59.13.178 NAT Detected: Local host is behind a NAT device.
01:57:26:192 xxx.59.13.178 The SA lifetime for phase 1 is 28800 seconds.
01:57:26:192 xxx.59.13.178 Phase 1 has completed.
01:57:26:270 xxx.59.13.178 Received XAuth request.
01:57:26:270 xxx.59.13.178 Sending XAuth reply.
01:57:26:286 xxx.59.13.178 Received initial contact notify.
01:57:26:364 xxx.59.13.178 Received XAuth status.
01:57:26:364 xxx.59.13.178 Sending XAuth acknowledgement.
01:57:26:364 xxx.59.13.178 User authentication has succeeded.
01:57:26:442 xxx.59.13.178 Received request for policy version.
01:57:26:442 xxx.59.13.178 Sending policy version reply.
01:57:26:520 xxx.59.13.178 Received policy change is not required.
01:57:26:520 xxx.59.13.178 Sending policy acknowledgement.
01:57:26:520 xxx.59.13.178 The configuration for the connection is up to date.
01:57:26:582 xxx.59.13.178 Starting ISAKMP phase 2 negotiation with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP.
01:57:26:582 xxx.59.13.178 Starting quick mode phase 2 exchange.
01:57:26:769 xxx.59.13.178 The SA lifetime for phase 2 is 28800 seconds.
01:57:26:769 xxx.59.13.178 Phase 2 with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP has completed.
01:57:27:019 <local host> Renewing IP address for the virtual interface (00-60-73-2F-68-56).
01:57:27:518 <local host> The virtual interface has been added to the system with IP address 172.20.40.122.
01:57:27:596 <local host> The system ARP cache has been flushed.
01:57:27:674 xxx.59.13.178 NetWkstaUserGetInfo returned: user: klamsr, logon domain: XXXXX, logon server: SKLA-DC01
01:57:42:306 xxx.59.13.178 NetGetDCName failed: Could not find domain controller for this domain.I then made a reservation on the DHCP to give a specific IP to the VPN virtual MAC, and the connection went through, and I could ping and see all network computers, heres is the log:
02:00:58:902 <local host> The connection "xxxxx.net" has been enabled.
02:01:01:663 xxx.59.13.178 Starting ISAKMP phase 1 negotiation.
02:01:01:788 xxx.59.13.178 Starting aggressive mode phase 1 exchange.
02:01:01:788 xxx.59.13.178 NAT Detected: Local host is behind a NAT device.
02:01:01:788 xxx.59.13.178 The SA lifetime for phase 1 is 28800 seconds.
02:01:01:788 xxx.59.13.178 Phase 1 has completed.
02:01:01:866 xxx.59.13.178 Received XAuth request.
02:01:01:866 xxx.59.13.178 XAuth has requested a username but one has not yet been specified.
02:01:01:866 xxx.59.13.178 Sending phase 1 delete.
02:01:01:866 xxx.59.13.178 User authentication information is needed to complete the connection.
02:01:01:913 <local host> An incoming ISAKMP packet from xxx.59.13.178 was ignored.
02:01:08:433 xxx.59.13.178 Starting ISAKMP phase 1 negotiation.
02:01:08:652 xxx.59.13.178 Starting aggressive mode phase 1 exchange.
02:01:08:652 xxx.59.13.178 NAT Detected: Local host is behind a NAT device.
02:01:08:652 xxx.59.13.178 The SA lifetime for phase 1 is 28800 seconds.
02:01:08:652 xxx.59.13.178 Phase 1 has completed.
02:01:08:714 xxx.59.13.178 Received XAuth request.
02:01:08:714 xxx.59.13.178 Sending XAuth reply.
02:01:08:730 xxx.59.13.178 Received initial contact notify.
02:01:08:808 xxx.59.13.178 Received XAuth status.
02:01:08:808 xxx.59.13.178 Sending XAuth acknowledgement.
02:01:08:808 xxx.59.13.178 User authentication has succeeded.
02:01:08:886 xxx.59.13.178 Received request for policy version.
02:01:08:886 xxx.59.13.178 Sending policy version reply.
02:01:08:964 xxx.59.13.178 Received policy change is not required.
02:01:08:964 xxx.59.13.178 Sending policy acknowledgement.
02:01:08:964 xxx.59.13.178 The configuration for the connection is up to date.
02:01:09:042 xxx.59.13.178 Starting ISAKMP phase 2 negotiation with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP.
02:01:09:042 xxx.59.13.178 Starting quick mode phase 2 exchange.
02:01:09:198 xxx.59.13.178 The SA lifetime for phase 2 is 28800 seconds.
02:01:09:198 xxx.59.13.178 Phase 2 with 172.20.40.0/255.255.255.0:BOOTPC:BOOTPS:UDP has completed.
02:01:09:369 <local host> Renewing IP address for the virtual interface (00-60-73-2F-68-56).
02:01:11:616 <local host> The virtual interface has been added to the system with IP address 172.20.40.200.
02:01:11:725 <local host> The system ARP cache has been flushed.
02:01:11:943 xxx.59.13.178 NetWkstaUserGetInfo returned: user: klamsr, logon domain: XXXXX, logon server: SKLA-DC01
02:01:26:950 xxx.59.13.178 NetGetDCName failed: Could not find domain controller for this domain.
02:01:31:022 xxx.59.13.178 NetUserGetInfo returned: home dir: F:, remote dir: \\kla-dc-01\martin, logon script: logon.batAs you can see in the last line it resolved the homedir, but after disconnecting and connecting again the problem returned
ASKER
The Doimain Controller s handing out IPs,
As I've mentioned I made a rule to hand out a specific IP to the client, that is out of the dhcp scope, so I could rule out conflicts.
Maybe I need to do a packet trace? Any advice on how that is done?
As I've mentioned I made a rule to hand out a specific IP to the client, that is out of the dhcp scope, so I could rule out conflicts.
Maybe I need to do a packet trace? Any advice on how that is done?
ASKER
So I installed Wireshark, connected to the VPN and captured some packets.
And what do you know, the ping went through, and all was working as it should, here's a sample packet:
Confused as hell, I disconnected from VPN and connected again, and no network, no ping, nothing:
And what do you know, the ping went through, and all was working as it should, here's a sample packet:
No. Time Source Destination Protocol Length Info
210 502.848256 172.20.40.200 172.20.40.10 DNS 80 Standard query A SKLA-DC01.xxxxxx.net
Frame 210: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: Redcreek_2f:68:56 (00:60:73:2f:68:56), Dst: AsustekC_c3:b8:c8 (bc:ae:c5:c3:b8:c8)
Internet Protocol Version 4, Src: 172.20.40.200 (172.20.40.200), Dst: 172.20.40.10 (172.20.40.10)
User Datagram Protocol, Src Port: 63820 (63820), Dst Port: domain (53)
Domain Name System (query)
[Response In: 212]
Transaction ID: 0x0059
Flags: 0x0100 (Standard query)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
SKLA-DC01.xxxxxx.net: type A, class IN
Name: SKLA-DC01.xxxxxx.net
Type: A (Host address)
Class: IN (0x0001)
No. Time Source Destination Protocol Length Info
211 502.854895 172.20.40.10 172.20.40.200 DNS 96 Standard query response A 172.20.40.10
Frame 211: 96 bytes on wire (768 bits), 96 bytes captured (768 bits)
Ethernet II, Src: Redcreek_2f:68:57 (00:60:73:2f:68:57), Dst: Redcreek_2f:68:56 (00:60:73:2f:68:56)
Internet Protocol Version 4, Src: 172.20.40.10 (172.20.40.10), Dst: 172.20.40.200 (172.20.40.200)
User Datagram Protocol, Src Port: domain (53), Dst Port: 63843 (63843)
Domain Name System (response)
[Request In: 209]
[Time: 0.008122000 seconds]
Transaction ID: 0x10a5
Flags: 0x8580 (Standard query response, No error)
Questions: 1
Answer RRs: 1
Authority RRs: 0
Additional RRs: 0
Queries
SKLA-DC01.xxxxxx.net: type A, class IN
Name: SKLA-DC01.xxxxxx.net
Type: A (Host address)
Class: IN (0x0001)
Answers
SKLA-DC01.xxxxxx.net: type A, class IN, addr 172.20.40.10
Name: SKLA-DC01.xxxxxx.net
Type: A (Host address)
Class: IN (0x0001)
Time to live: 1 hour
Data length: 4
Addr: 172.20.40.10 (172.20.40.10)Confused as hell, I disconnected from VPN and connected again, and no network, no ping, nothing:
No. Time Source Destination Protocol Length Info
133 30.920716 172.20.40.200 172.20.40.10 DNS 80 Standard query A kla-dc-01.xxxxxx.net
Frame 133: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: Redcreek_2f:68:56 (00:60:73:2f:68:56), Dst: AsustekC_c3:b8:c8 (bc:ae:c5:c3:b8:c8)
Internet Protocol Version 4, Src: 172.20.40.200 (172.20.40.200), Dst: 172.20.40.10 (172.20.40.10)
User Datagram Protocol, Src Port: 64712 (64712), Dst Port: domain (53)
Domain Name System (query)
Transaction ID: 0xfbef
Flags: 0x0100 (Standard query)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
kla-dc-01.xxxxxx.net: type A, class IN
Name: kla-dc-01.xxxxxx.net
Type: A (Host address)
Class: IN (0x0001)
No. Time Source Destination Protocol Length Info
144 34.929738 172.20.40.200 172.20.40.10 DNS 80 Standard query A kla-dc-01.xxxxxx.net
Frame 144: 80 bytes on wire (640 bits), 80 bytes captured (640 bits)
Ethernet II, Src: Redcreek_2f:68:56 (00:60:73:2f:68:56), Dst: AsustekC_c3:b8:c8 (bc:ae:c5:c3:b8:c8)
Internet Protocol Version 4, Src: 172.20.40.200 (172.20.40.200), Dst: 172.20.40.10 (172.20.40.10)
User Datagram Protocol, Src Port: 64712 (64712), Dst Port: domain (53)
Domain Name System (query)
Transaction ID: 0xfbef
Flags: 0x0100 (Standard query)
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 0
Queries
kla-dc-01.xxxxxx.net: type A, class IN
Name: kla-dc-01.xxxxxx.net
Type: A (Host address)
Class: IN (0x0001)
Ah, I misunderstood. I thought assigning a static IP resolved the issue. As I read it again, I see where the issue persisted after the reconnect.
Once the VPN is connected, are you seeing anything in the sonicwall logs regarding dropped packets? I'll need to review the log information a little.
Once the VPN is connected, are you seeing anything in the sonicwall logs regarding dropped packets? I'll need to review the log information a little.
ASKER
No, there is nothing about packet loss in the sonicwall logs.
If you need me to capture any specific packets say so, I will do my best.
Thanks
If you need me to capture any specific packets say so, I will do my best.
Thanks
Let's look at the sonicwall for the moment. What model of sonicwall do you have. Is it enhanced OS or standard? Are you up to date on the firmware? If so, what version are you using?
Just an observation but the request that succeeded was sent to DNS server called SKLA-DC01.xxxxxx.net and the one that failed went to DNS server called kla-dc-01.xxxxxx.net. In the first paket capture you sent a DNS request and received a response right away but in the second pcap you sent 2 DNS requests with no response.
Are you getting assigned 2 different DNS server settings via DHCP for your primary DNS? Cuz it looks like on the first attempt your primary DNS was something other then the second connection and you might not have access to the second DNS server via the VPN.
Are you getting assigned 2 different DNS server settings via DHCP for your primary DNS? Cuz it looks like on the first attempt your primary DNS was something other then the second connection and you might not have access to the second DNS server via the VPN.
ASKER
Sonicwall PRO 4060
SonicOS Enhanced 4.2.1.0-20e
SonicROM 3.1.0.2
SonicOS Enhanced 4.2.1.0-20e
SonicROM 3.1.0.2
ASKER
wolwil
I pinged both servers, and one time the pings went through and other time they didn't
I copied different parts of the log in mistake, the servernames should be the same
What I did notice though:
DHCP assigns 2 DNS servers, 172.20.40.10 and 172.20.1.10
When I do get a successful connection I can ping 172.20.40.10, but the other one returns an error
I can connect to the 172.20.40.10 with Microsoft Remote Desktop while on VPN
and the 172.20.40.10 sees the 172.20.1.10 server just fine, it can ping it and connect to it, but the VPN client itself can't
I have a feeling the whole issue is DNS related, but just cant' wrap my head around it...
I pinged both servers, and one time the pings went through and other time they didn't
I copied different parts of the log in mistake, the servernames should be the same
What I did notice though:
DHCP assigns 2 DNS servers, 172.20.40.10 and 172.20.1.10
When I do get a successful connection I can ping 172.20.40.10, but the other one returns an error
I can connect to the 172.20.40.10 with Microsoft Remote Desktop while on VPN
and the 172.20.40.10 sees the 172.20.1.10 server just fine, it can ping it and connect to it, but the VPN client itself can't
I have a feeling the whole issue is DNS related, but just cant' wrap my head around it...
There are a couple of Early Release versions that I'd recommend you consider. Also, I assume you've tried to restart the sonicwall.
ASKER
Restarts do not help
I have little experience upgrading Sonicwall firmware, will I have to reconfigure it?
Because configuring it for the first time was a very long and painful process
I have little experience upgrading Sonicwall firmware, will I have to reconfigure it?
Because configuring it for the first time was a very long and painful process
No. Upgrading is easy. You'll want to get a backup of the settings. You can do this (and should do this on a regular basis as a backup) under System > Settings. From here you can upload new firmware, settings and download settings. You also have the option of creating a current firmware backup that you can download. I typically only download the settings.
Then, download one of the firmware updates and upload it. You then boot from the new firmware using the current settings. DON'T select the factory defaults firmware.
Then, download one of the firmware updates and upload it. You then boot from the new firmware using the current settings. DON'T select the factory defaults firmware.
ASKER
I have updated the Firmware to 4.2.1.4-7e
it's the latest available to me.
I also notices that DHCP over VPN tab had a Relay IP address (giaddr) populated.
After much research I am certain that my setup should work withot Relay IP, just plain forwarding DHCP requests to the Domain Controller, so I disabled it.
No the Sonicwall VPN Client fails to acquire any IP address.
it's the latest available to me.
I also notices that DHCP over VPN tab had a Relay IP address (giaddr) populated.
After much research I am certain that my setup should work withot Relay IP, just plain forwarding DHCP requests to the Domain Controller, so I disabled it.
No the Sonicwall VPN Client fails to acquire any IP address.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks digitap, for helping me track down the problem
I'm confused. The Firewalled Subnets group should have been enough. Did it not include the subnets that are in the other two address objects/groups?
BTW, thanks for the points and glad you got it! These things can be very frustrating when the solution seems so simple.
BTW, thanks for the points and glad you got it! These things can be very frustrating when the solution seems so simple.
ASKER
No, the additional subnets were not included in the Firewalled Subnets goup.
I don't know how sonicwall defines firewalled subnets, but in my case this group only included X1 and X2 interface subnets
I don't know how sonicwall defines firewalled subnets, but in my case this group only included X1 and X2 interface subnets
I see. I believe that if those groups were assigned an interface, then they would have been included in the Firewalled Subnets group. I think it literally means whatever networks are being protected by the sonicwall will be in that group. This would include the interfaces. I assume the address groups were merely there for routes you setup on the sonicwall, correct?
That was sure nice...thanks for the points!
As dumb as I may have been, I figured out why I coulldnt find the domain controller. Under the client tab for virtual adapter settings, I had NONE as the option. As soon as I chose DHCP Lease or ManualConfiguration, I was getting IP addresses. DUH
I use the sonicwall to hand out IP for this reason. It's always worked well for me. Here is an article I wrote on setting that up.
http://bit.ly/py3pvP