Solved

VPN via SonicWall has stopped working

Posted on 2013-01-14
8
395 Views
Last Modified: 2013-02-03
Working with a SonicWall TZ170 and four machines configured to accept remote desktop connections through the SonicWall TZ 170.  All four VPN connections have worked fine for several months. The machines are three XP workstations and (1) Windows 2008 server R2.

Last week the connections stopped working. So far we have the following:

All remote users can successfully connect to the Sonicwall.
If they attempt to use RDP to connect to their machine the connection fails with the usual MS rdp error about cannot connect, check the machine has remote access enabled etc etc.

Within the premises, rdp to each of the machines works.  It is only when the RDP connection is attempted through the firewall that it fails.

In the process of troubleshooting I have:
Turned off Windows firewall
Turned off Vipre Anti-virus business (which does not have a firewall)
No change.

I can ping each machine from a remote machine... but have some odd behavior...

When I ping, I get (1) reply... then the next (3) time out.  Any subsequent ping attempts receive (4) time outs.

If I ping another address, I get the identical behavior... one reply then time out and subsequent attempts get (4) time outs.

The "Terminal Services" services (named Remote Desktop on the server)  on all four machines are running.

Baffled.  Suggestions welcome.
0
Comment
Question by:Tomster2
  • 5
  • 2
8 Comments
 
LVL 2

Expert Comment

by:cchighman
ID: 38776230
Sounds like a NATing issue on the router itself.  Can you verify the current running config is accurate ?  This is assuming the gateway is set to the router without sing any routing and remote services from the win 2008 box.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38776263
http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_24237489.html
This guy says nuke the router, download newest firmware then reconfigure tunnels and rules.  Should work....  Yikes.


You may try setting up RDP gateway server for terminal services (uses port 443 instead of 3389).  I use it and it has eliminated the brute force attacks my public servers used to see.
0
 
LVL 2

Expert Comment

by:cchighman
ID: 38776284
Don't nuke it yet.  Post config.
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 2

Expert Comment

by:cchighman
ID: 38776296
If you're having those type of ping issues, sounds like a routing issue.  It's very likely no public ports will route if 3389 won't unless you have customized ACLs for it.  Post config and also post the ip, mask, and gateway from one of the clients.
0
 
LVL 2

Expert Comment

by:cchighman
ID: 38776383
I just reread your post.  These remote VPN connections that cannot access RDP and fail after ping strongly points to an ACL or routing rule.  It's probably a really quick fix.
0
 

Accepted Solution

by:
Tomster2 earned 0 total points
ID: 38776396
The ping issued finally turned a light bulb on.

If the ping was not consistent then any communication could be suspect... so even though no one was experiencing issues with any other programs or server communication we decided to look at what manages the communication between the SonicWall, the server and the workstations.... the switch.

We rebooted the switch and everything is happy again.  We like happy!

Thanks for the additional suggestions... some of them I had thought of - but REALLY wanted to avoid going there if possible. In this case procrastination paid off.
0
 
LVL 2

Expert Comment

by:cchighman
ID: 38776408
Congratulations :)  Does your switch allow to see CRC errors or IO errors? It should also be noticeable from interface stats.  You may want to look at the switchover buffers to see if any packets are getting dropped or CPU usage.  All in all, rebooting premise equipment usually does miracles but only when the device is either really old or in an environment out of spec for its resources.
0
 

Author Closing Comment

by:Tomster2
ID: 38848312
I came up with the solution that solved the problem and it was significantly different that the other options suggested.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Building small business network 4 107
Low Cost Managed Switch 19 127
Setting up WiFi for web access only, using a VLAN 1 53
SPAM and Ransomware and Backup 11 135
A Wildcard Certificate means all of your sub-domains will resolve to the same location, regardless of the non-SSL Document-Root specification. A user will need to purchase a wildcard SSL from a vendor or a reseller that supplies them. Similar to ha…
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question