Sonicwall Site to Site VPN DHCP issues

Experts,

We are having problems with DHCP over VPN on our site to site.  The main campus has a TZ210 and the remote has a TZ105.  They are set to deliver DHCP addresses from our internal server to the remote site.  Everything has worked fine for the last couple months until yesterday when out of the blue the remote site quit receiving addresses.  I have restarted both firewalls, the DHCP server, and nothing has changed in the firewall settings.  Does anyone have any idea what could cause this?  The DHCP server is working perfectly on the main campus, just not over VPN.  I also tried a global VPN client on a single laptop that worked before yesterday as well, no luck.  Any help would be greatly appreciated!
plainsschoolsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi plainsschools,

Where is the DHCP Server being hosted on the server or the SonicWALL? If it's hosted on a Server outside of the SonicWALL you need to setup pass-through for the DHCP server.

Please verify your setup of the DHCP over site-to-site VPN here: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7583
0
plainsschoolsAuthor Commented:
The DHCP server is on the central site behind the TZ210.  Up until two days ago the remote site received addresses fine the all of a sudden they just quit.  Since then it has been intermittent it will work for a few minutes then will not pass the addresses again.  The guide you posted is the exact guide I used when setting up the site to site.  Thanks!
0
Blue Street TechLast KnightCommented:
Sorry, been swamped recently. Make sure the DHCP Server on the SonicWALL is fully disabled.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Blue Street TechLast KnightCommented:
Any update on this?
0
convergintCommented:
Are the devices at the remote site getting a 169.x.x.x address or something else?  Perhaps there is a rogue DHCP server that popped up at the remote site that is handing out IP addresses.

I assume there has been no changes in the network topology at the remote site either?
0
plainsschoolsAuthor Commented:
Nope, no changes in topology at all, fine one day broken the next at 10 am.  The devices are getting the generic 169.x addresses when the DHCP fails to give them an address.  Now the problem has changed slightly as now once in a while the dhcp server will give an address only for the device to lose connection a short time later. And yes the DHCP server on the sonicwall is fully disabled.  Thanks for ideas, sorry for the response delay I have been swamped as well.
0
plainsschoolsAuthor Commented:
Have found that nearly every address that our DHCP server does supply to the nodes on the other side of the VPN signal a ip spoofing alert in the firewall.  It seems that it is literally every machine on the remote side of the VPN...
0
Blue Street TechLast KnightCommented:
Is one of the connections a PPPoE connection by chance? If so, you will need to change the PPPoE's subnet to avoid IP Spoofing from occurring in this manner.

Otherwise, IP spoof log messages are caused when the SonicWALL sees an IP address on one segment that it believes belongs on another segment. For instance, an IP spoof  will be logged if the SonicWALL sees an IP address on the LAN that it believes belongs on the WAN.

IP Spoof messages are generally indicative of malicious attempts to access a network, but they can also result from bad network or VPN routes. The log message shows the packet was detected and dropped.
0
Blue Street TechLast KnightCommented:
What routes do you have setup for VPN?

Also please answer the questions above. Thanks!
0
plainsschoolsAuthor Commented:
The remote connection is a PPPoE connection on DSL.  I cannot change anything in that router, it is managed by the ISP so I have contacted them on it as well.  It is strange however that it worked for two months without a single ip spoof alert then all of a sudden it started alerting them on every ip within the remote network... I am still guessing that may be where the problem is as you mentioned.  I have not manually set any routes for the site to site vpn I just did the vpn wizard through the sonicwall firewalls so everyone on the remote network has access to the file servers on the main network.
0
Blue Street TechLast KnightCommented:
Doesn't the PPPoE connection have a SonicWALL on it though?

SonicOS has fully supported PPPoE WAN Connectivity for about ten years. SonicOS uses an artificial value of 255.255.255.0 by default.  In most cases, no adjustments need to be made to this subnet mask. But there are certain circumstances where you may need to.

The PPP protocol is unusual and subnet masks are actually irrelevant to the host's IP settings.  That is why the typical display of a PPP adapter connected in Windows will show a subnet mask of 255.255.255.255, and even the gateway IP is usually set to the same value as the acquired IP address.  SonicOS can use this same "slash 32" subnet mask - 255.255.255.255 - or other values like 255.255.255.240.  In some cases, like yours or when you have multiple WAN connections, you may need to change this.

Here is an example scenario, the PPPoE DSL provider is connected to SonicWALL firewall's X1 interface, and gives the firewall a dynamic IP address 67.118.188.190 (and SonicOS uses 255.255.255.0 by default).  Also, the firewall has a second WAN connected on X2, using a static IP of 49.49.49.2 w/ a gateway router of 49.49.49.1.  Now, with this multiple WAN scenario, sometimes you may need to access a server or host (other firewall) whose IP address is in the same public range as the PPPoE (e.g., 67.118.188.233).

If the firewall has traffic going out their X2 WAN trying to reach the 67.118.188.233 server, it will fail, and SonicOS will log the attempt as an IP Spoof alert.  This is because SonicOS has a directly-connected route statement for the entire subnet 67.118.188.0 / 255.255.255.0 (slash 24 network), tied to the X1 interface.  This route tells the SonicWALL firewall to expect traffic only on that interface and not to allow it on others.  This kind of strict enforcement of IP subnet locations is central to the security functions of most firewalls. It is simple to solve using the method below:

Customize the default 255.255.255.0 PPPoE Subnet mask in SonicOS Enhanced to avoid IP Spoof alerts.

1. Log into the SonicWALL firewall's web management UI and you will see this in the address bar:
http(s)://<IP-address>/main.html

2. Edit the URL in the address bar of your browser so that it reads:
http(s)://<IP-address>/diag.html and hit enter.

3. Once you are in the diag page, click the "Internal Settings" button, then scroll down until you find the PPPoE Settings section.

The PPPoE Client Subnet Mask on the SonicWALL will work fine when we change the PPPoE net mask on the diag.html from "255.255.255.0" to "255.255.255.255" (which is the same as the subnet mask provided by the PPPoE Server when a PC is directly connected to Modem).

4. After changing the subnet mask, disconnect the PPPoE connection from the SonicWALL and connect it again. The subnet mask will take effect on that new connection.
Let me know how it goes!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
plainsschoolsAuthor Commented:
Sorry for the delay, things are still insane around here, I will try your suggestion today and report back.  Thanks!
0
Blue Street TechLast KnightCommented:
Can you confirm if my suggestion worked (http:#a39614868) ? Thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.