Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Sonicwall - routing over VPN

Posted on 2013-11-12
Medium Priority
Last Modified: 2016-12-04
Hi, hope someone can point out what I am missing...

We have a NSA 4500 in our head office with X0 is (LAN), X1 (WAN) and X2 (WLAN)

I have a VPN setup on a TZ205 to the NSA4500 with a policy from LAN_Subnet to Address Group 'ALL_Network'
'ALL_NETWORK' include address object subnets for the NSA4500 subnets X0 (LAN) and X2 (WLAN).
The NSA4500 also has and 'ALL_NETWORK' address object with TZ205 subnet and its X0 and X2 subnets.

The VPN works and I can connect between the TZ205 subnet and NSA4500 X0 subnet however I can not connect from the TZ205 subnet to X2 subnet.

I would have thought because the subnet address object is in the VPN destination group that the data would traverse the VPN and the NSA4500 would route to X2.  

Thanks in advance
Question by:hutchiesit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39644037
Hi hutchiesit,

The VPN works and I can connect between the TZ205 subnet and NSA4500 X0 subnet however I can not connect from the TZ205 subnet to X2 subnet.
Let me break this down, and correct me if I'm wrong...
From the NSA > TZ you can access resources in both X0 & X2.
From the TZ > NSA you can only access resources in X0 & *not* in X2.

Can you ping NSA's X2 from the TZ diagnostics page?
Can you access resources in the NSA's X2 by IP opposed to FQDN?

What is NSA's X2 running as far as WAP (Make/Model)?


Expert Comment

by:Malay Upadhyay
ID: 39644236
Check if you have VPN-WLAN rule on NSA4500 under Firewall!

Author Comment

ID: 39646381
To be clear, when I mention WLAN I just mean the name of the zone, it is really just another subnet on that interface not sonicwall wifi.  X2 is only on the NSA not TZ.

*From the NSA > TZ you can access resources in both X0 & X2.
This is correct for the NSA between its X0 and X2

* From the TZ > NSA you can only access resources in X0 & *not* in X2.
This is the issue.

*Can you ping NSA's X2 from the TZ diagnostics page?

*Can you access resources in the NSA's X2 by IP opposed to FQDN?
Not from TZ

*What is NSA's X2 running as far as WAP (Make/Model)?
Should have mentioned it's really just another subnet and WLAN is the name of the zone

Firewall - VPN - WLAN there is a rule that has been created automatically from TZ subnet-'ALL_NETWORK' which includes address object subnets for the NSA4500 subnets X0 (LAN) and X2 (WLAN).
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 26

Expert Comment

by:Blue Street Tech
ID: 39646414
OK, here are some common reasons for not allowing traffic to pass-through. Please follow below:

1. Local & Destination Network mismatch

The most common reason for traffic failing to traverse a VPN tunnel is Local and Destination Network mismatch. This is accompanied by an error in the SonicWALL Log. The following errors can be seen in the log:

    • Proposal does not Match
    • Invalid Cookies

When configuring the VPN, the Local and Destination Network needs to be defined on each device. Make sure that the Local Network chosen matches the Destination Network chosen on the other site.Local & Destination Network mismatch

2. The Zone or Type of the Local or Destination Network is incorrectly configured

Make sure the Address Objects are setup correctly.

The zone assignment of a local or destination network is crucial for traffic to be routed through the tunnel. Although creating an Address Object for a local network is scarcely required, if a requirement arises to create an Address Object, ensure the zone assignment is LAN or DMZ as the case maybe.

When creating Address Objects for destination network/s ensure the zone assignment is VPN. If selecting more than one subnet add them to an Address Group. When creating an Address Object for an entire subnet for either local or destination network, it is advisable to have the Type set as Network rather than range. Make sure the subnet mask is correctly configured.Local Network mismatchDestination Network mismatch

3. Static Route

Sometimes a tunnel does not come up or it comes up but no traffic passes through, if a static route is defined in the Network > Routes page which conflicts with the Local or Destination Network defined in the VPN Policy. By default, Static Routes on a SonicWALL will overrule VPN Tunnel routes. If a Static Route has been defined for the Destination Network, the SonicWALL will use this route instead of passing the traffic on to the VPN Tunnel.

With the introduction of SonicOS Enhanced 4.0, a new option "Allow VPN path to take precedence " has been introduced.

By means of the Diagnostic utility "Find Network path" on the System > Diagnostics page, it can easily be determined if the SonicWALL has been configured with an overlapping route. Note all VPN destination networks defined in the Network tab of the VPN policies. Test each network using the Find Network Path diagnostic tool. If the network is not a static route that may override the VPN tunnel, the utility will report that the network is located on the WAN, either behind the Remote Gateway IP address, or behind your Default Router. This test may not be conclusive if the overlapping Static Route is pointing to the Default Gateway.

4. Default Gateway not pointing to the SonicWALL

In some networks, there are multiple paths to the internet from the LAN, and a host whose Default Gateway is not configured or wrongly confgured will be able to participate in the VPN traffic. The problem computer may not have a Default Gateway set at all (common on platforms which don't offer GUI methods for setting gateways like Windows, and when the server historically has only been reached by local hosts on the same network).

The answer is simply to configure a Default Gateway on the computer (or a route of last resort in a LAN router) pointing to the SonicWALL LAN IP address.

5. Multi-homed computers or computers with dual NICs

Certain servers could have multiple NICs installed in them to communicate with multiple networks. At times this could pose problems for a host on the other side of the VPN tunnel to communicate with the server over the VPN tunnel. The request from the host may reach the server but the reply may go out through the NIC not participating in the VPN tunnel. To rectify this behavior make sure the routes in the servers are configured properly.If all of the above fail to resolve the issue, the following could be tried:
Upgrade both units to the latest firmware if not already done.
Disable the VPN policies on both sides, reboot the SonicWALL and re-enable the policies.
Delete the existing policies and re-create them.

Let me know how it goes!

Author Comment

ID: 39646541
Thank you for your responses.  The strange thing is we have alot of sites setup using VPN,  adding the WLAN zone to the NSA is the new setting.

1.  I have check these again and confirmed the settings are correct.
2. The address object zone assignment on the TZ was LAN for the NSA subnets, this does work when accessing NSA X0 subnet however I have tested changing all address objects on the TZ to VPN however the issue remains
3. I haven't set as static routes, only the automatic ones that get created. However when using Find Network Path to an IP on NSA X2 the response is 'IP is located on the VPN:ALL_NETWORK' It is not behind a router.  Its Ethernet address was not found.   Referring to 2 above this is the same in both zones
4. Default gateway is set to the TZ LAN ip address, the TZ is DHCP.
5. 1 NIC for the laptop

I guess I will try to recreate the policies, unfortunately firmware on the NSA is not an option due to production.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39646579
WLAN stands for Wireless Local Area Network. As a rule WLAN should never be used outside of being explicitly Wireless...it's bad form, can cause configuration issues and general confusion.

I have a feeling it has to do with this "WLAN". I'd review the "WLAN" and make sure it's setup as LAN2 or something more appropriate but specifically look at the Security Type and make sure its set to Trusted and not Untrusted or Wireless. Then look to see if it has Interface Trust. If the Security Type or Interface Trust is not what I specified it will not work.

Also, does the TZ have wireless...wondering if there is an overlap if you are using 172.16.x.x network for the "WLAN" on the NSA.

Let me know how it goes!

Author Comment

ID: 39646604
Agree, I have renamed it.

The zone is already trusted plus Interface Trust is set.  TZ does have WLAN that isn't used.

I am at a loss, maybe I can ask SW support.
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39646637
I'd double check the X2 network setup in the Address Object make sure it's got the right Zone, Network, Subnet, etc. in the TZ.

Accepted Solution

hutchiesit earned 0 total points
ID: 39935712
In case anyone is interested the solution from Sonicwall support was to NAT between NSA4500 subnet X2 and TZ LAN.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question