Sonicwall TZ205 Site to Site VPN

Posted on 2013-11-01
Last Modified: 2013-12-14
Hi Guys,
              I am setting up a Site to Site VPN with 2 Sonicwall TZ205's and i cannot get them to work correctly.  The Tunnel is connected, but the clients on either side cannot talk to each other.  If i ssh in to the Sonicwall's i can ping the gateways and the clients from the Sonicwall's themselves, but no other traffic is going across the VPN.
Question by:pvnpvn
  • 5
  • 4
  • 2
LVL 25

Expert Comment

by:Diverse IT
ID: 39618336
Hi pvnpvn,

Can you ping the firewalls from the clients?

Are you seeing anything in the logs when you try to ping from PC to PC (across the VPN)?

Make sure to enable all log categories...go to Log > Settings, make sure Logging is set to Debug and that all Categories are checked under log. Then test and post results.

Author Comment

ID: 39618747
I see the successful pings when pinging from the sonicwalls
09:40:50 Nov 02      171      VPN      IPsec Dead Peer Detection                50585      4500                                  RECEIVED<<< ISAKMP OAK INFO (InitCookie:0xb400790b9ab5a107 RespCookie:0x15a24b1929d0...
09:37:50 Nov 02      171      VPN      IPsec Dead Peer Detection                4500      50585                                  SENDING>>>> ISAKMP OAK INFO (InitCookie:0xb400790b9ab5a107 RespCookie:0x15a24b1929d0...
09:36:02 Nov 02      171      VPN      IPsec Dead Peer Detection                4500      50585                                  SENDING>>>> ISAKMP OAK INFO (InitCookie:0xb400790b9ab5a107 RespCookie:0x15a24b1929d0...

But I do not see anything else in the log.  My remote sonicwall log is showing this though.

10:17:15 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      64531      ff02::1:3      5355      17                           Unhandled link-local or multicast IPv6 packet dropped      
10:17:10 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      65087      ff02::1:3      5355      17                           Unhandled link-local or multicast IPv6 packet dropped      
10:16:08 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      65219      ff02::c      1900      17                           Unhandled link-local or multicast IPv6 packet dropped      
10:16:05 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      65219      ff02::c      1900      17                           Unhandled link-local or multicast IPv6 packet dropped      
10:16:02 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      65219      ff02::c      1900      17                           Unhandled link-local or multicast IPv6 packet dropped      
10:15:15 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      50626      ff02::1:3      5355      17                           Unhandled link-local or multicast IPv6 packet dropped      
10:13:56 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      59188      ff02::1:3      5355      17                           Unhandled link-local or multicast IPv6 packet dropped      
10:13:22 Nov 02      1233      Firewall Settings      Link-Local/Mult
icast IPv6 Packet      W0      X0      fe80::a6:b401: 86e6:4356      65219      ff02::c      1900      17                           Unhandled link-local or multicast IPv6 packet dropped
LVL 25

Expert Comment

ID: 39620005
Did you enable dhcp over VPN, then reboot the clients behind the sonicwall that is connecting to the other sonicwall?
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

LVL 25

Expert Comment

by:Diverse IT
ID: 39620823
Are you running IPv6?

Can you ping from PC to PC through the VPN?

Your logs indicate a NULL source IP address.

Author Comment

ID: 39623178
I am not using IPv6.  I cannot ping PC to PC, that is the whole problem.
LVL 25

Expert Comment

ID: 39623209
Well, your logs do reflect some IPv6 traffic. So if you're not using IPv6, then turn it off. But you still have not mentioned whether you turned on DHCP over VPN. You will need to at a minimum do that, so that machines on the remote Sonicwall can start receiving IP addresses from the main Sonicwall. Machines with static IP addresses will also need to be entered. I was just dealing with this kind of issue recently.

Author Comment

ID: 39629123
Why would the machines need to receive a DHCP address from the main Sonicwall?  I have a Sonicwall in another situation with DCHP enabled locally.

Author Comment

ID: 39643631
So I took the static sonic wall from the site and brought it home.  brought it back to defaults and set it up on my cable modem, I am still having the same issue.  I can get the VPN to connect and see the correct stuff in the logs, but I cannot ping across the VPN.  I tried enabling DHCP over VPN, but it doesn't work since the remote router cannot see the local ip of the static router.
LVL 25

Accepted Solution

Diverse IT earned 500 total points
ID: 39644202
Let's see if we can't get'r done with this assault:

1. Local & Destination Network mismatch

The most common reason for traffic failing to traverse a VPN tunnel is Local and Destination Network mismatch. This is accompanied by an error in the SonicWALL Log. The following errors can be seen in the log:

* Proposal does not Match
* Invalid Cookies

When configuring the VPN, the Local and Destination Network needs to be defined on each device. Make sure that the Local Network chosen matches the Destination Network chosen on the other site.Local & Destination Network mismatch

2. The Zone or Type of the Local or Destination Network is incorrectly configured

Make sure the Address Objects are setup correctly.

The zone assignment of a local or destination network is crucial for traffic to be routed through the tunnel. Although creating an Address Object for a local network is scarcely required, if a requirement arises to create an Address Object, ensure the zone assignment is LAN or DMZ as the case maybe.

When creating Address Objects for destination network/s ensure the zone assignment is VPN. If selecting more than one subnet add them to an Address Group. When creating an Address Object for an entire subnet for either local or destination network, it is advisable to have the Type set as Network rather than range. Make sure the subnet mask is correctly configured.Local Network mismatchDestination Network mismatch

3. Static Route

Sometimes a tunnel does not come up or it comes up but no traffic passes through, if a static route is defined in the Network > Routes page which conflicts with the Local or Destination Network defined in the VPN Policy. By default, Static Routes on a SonicWALL will overrule VPN Tunnel routes. If a Static Route has been defined for the Destination Network, the SonicWALL will use this route instead of passing the traffic on to the VPN Tunnel.

With the introduction of SonicOS Enhanced 4.0, a new option "Allow VPN path to take precedence " has been introduced.

By means of the Diagnostic utility "Find Network path" on the System > Diagnostics page, it can easily be determined if the SonicWALL has been configured with an overlapping route. Note all VPN destination networks defined in the Network tab of the VPN policies. Test each network using the Find Network Path diagnostic tool. If the network is not a static route that may override the VPN tunnel, the utility will report that the network is located on the WAN, either behind the Remote Gateway IP address, or behind your Default Router. This test may not be conclusive if the overlapping Static Route is pointing to the Default Gateway.

4. Default Gateway not pointing to the SonicWALL

In some networks, there are multiple paths to the internet from the LAN, and a host whose Default Gateway is not configured or wrongly confgured will be able to participate in the VPN traffic. The problem computer may not have a Default Gateway set at all (common on platforms which don't offer GUI methods for setting gateways like Windows, and when the server historically has only been reached by local hosts on the same network).

The answer is simply to configure a Default Gateway on the computer (or a route of last resort in a LAN router) pointing to the SonicWALL LAN IP address.

5. Multi-homed computers or computers with dual NICs

Certain servers could have multiple NICs installed in them to communicate with multiple networks. At times this could pose problems for a host on the other side of the VPN tunnel to communicate with the server over the VPN tunnel. The request from the host may reach the server but the reply may go out through the NIC not participating in the VPN tunnel. To rectify this behavior make sure the routes in the servers are configured properly.If all of the above fail to resolve the issue, the following could be tried:
Upgrade both units to the latest firmware if not already done.
Disable the VPN policies on both sides, reboot the SonicWALL and re-enable the policies.
Delete the existing policies and re-create them.

Forgetting Ping for a sec...have you test passing traffic through the tunnel?

Let me know how it goes!

Author Comment

ID: 39650286
Thanks for the help, the issue with the VPN was i needed to enter the IP address of the remote router into the default gateway box on the advanced tab on both routers

After that I was able to ping across the vpn fine.  

I still am having one last issue.  I need to use wireless as well as wired on one side, the other side will only have wired clients.  I can ping wired clients from the wireless and vise versa on the local router, but only the wired clients can ping across the VPN the wireless clients time out.
LVL 25

Expert Comment

by:Diverse IT
ID: 39652537
Yes, traffic not passing to or from a Wireless Type Zone is due to Access Rules NOT auto created (By Design).

After setting up a VPN policy in to tunnel interface mode, ensure a route has been created on both sides to route traffic to the appropriate network. Then proceed to check access rules on the side of the tunnel which has the wireless network.

When creating route policies in which the source is any and traffic is set to pass to a non-trusted zone, the access rules are not auto-created.

The rules will need to be added in two places. From VPN > WLAN and from WLAN > VPN.

They will be similar to rules that are created from VPN > LAN and LAN > VPN where the VPN network is the remote network.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question