Solved

Sonicwall - routing over VPN

Posted on 2013-11-12
11
3,772 Views
Last Modified: 2016-04-27
Hi, hope someone can point out what I am missing...

We have a NSA 4500 in our head office with X0 is (LAN), X1 (WAN) and X2 (WLAN)

I have a VPN setup on a TZ205 to the NSA4500 with a policy from LAN_Subnet to Address Group 'ALL_Network'
'ALL_NETWORK' include address object subnets for the NSA4500 subnets X0 (LAN) and X2 (WLAN).
The NSA4500 also has and 'ALL_NETWORK' address object with TZ205 subnet and its X0 and X2 subnets.

The VPN works and I can connect between the TZ205 subnet and NSA4500 X0 subnet however I can not connect from the TZ205 subnet to X2 subnet.

I would have thought because the subnet address object is in the VPN destination group that the data would traverse the VPN and the NSA4500 would route to X2.  

Thanks in advance
0
Comment
Question by:hutchiesit
11 Comments
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Hi hutchiesit,

The VPN works and I can connect between the TZ205 subnet and NSA4500 X0 subnet however I can not connect from the TZ205 subnet to X2 subnet.
Let me break this down, and correct me if I'm wrong...
From the NSA > TZ you can access resources in both X0 & X2.
From the TZ > NSA you can only access resources in X0 & *not* in X2.

Can you ping NSA's X2 from the TZ diagnostics page?
Can you access resources in the NSA's X2 by IP opposed to FQDN?

What is NSA's X2 running as far as WAP (Make/Model)?

Thanks!
0
 

Expert Comment

by:Malay Upadhyay
Comment Utility
Check if you have VPN-WLAN rule on NSA4500 under Firewall!
0
 

Author Comment

by:hutchiesit
Comment Utility
To be clear, when I mention WLAN I just mean the name of the zone, it is really just another subnet on that interface not sonicwall wifi.  X2 is only on the NSA not TZ.

*From the NSA > TZ you can access resources in both X0 & X2.
This is correct for the NSA between its X0 and X2

* From the TZ > NSA you can only access resources in X0 & *not* in X2.
This is the issue.

*Can you ping NSA's X2 from the TZ diagnostics page?
No

*Can you access resources in the NSA's X2 by IP opposed to FQDN?
Not from TZ

*What is NSA's X2 running as far as WAP (Make/Model)?
Should have mentioned it's really just another subnet and WLAN is the name of the zone

Firewall - VPN - WLAN there is a rule that has been created automatically from TZ subnet-'ALL_NETWORK' which includes address object subnets for the NSA4500 subnets X0 (LAN) and X2 (WLAN).
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
OK, here are some common reasons for not allowing traffic to pass-through. Please follow below:

1. Local & Destination Network mismatch

The most common reason for traffic failing to traverse a VPN tunnel is Local and Destination Network mismatch. This is accompanied by an error in the SonicWALL Log. The following errors can be seen in the log:

    • Proposal does not Match
    • Invalid Cookies

When configuring the VPN, the Local and Destination Network needs to be defined on each device. Make sure that the Local Network chosen matches the Destination Network chosen on the other site.Local & Destination Network mismatch

2. The Zone or Type of the Local or Destination Network is incorrectly configured

Make sure the Address Objects are setup correctly.

The zone assignment of a local or destination network is crucial for traffic to be routed through the tunnel. Although creating an Address Object for a local network is scarcely required, if a requirement arises to create an Address Object, ensure the zone assignment is LAN or DMZ as the case maybe.

When creating Address Objects for destination network/s ensure the zone assignment is VPN. If selecting more than one subnet add them to an Address Group. When creating an Address Object for an entire subnet for either local or destination network, it is advisable to have the Type set as Network rather than range. Make sure the subnet mask is correctly configured.Local Network mismatchDestination Network mismatch

3. Static Route

Sometimes a tunnel does not come up or it comes up but no traffic passes through, if a static route is defined in the Network > Routes page which conflicts with the Local or Destination Network defined in the VPN Policy. By default, Static Routes on a SonicWALL will overrule VPN Tunnel routes. If a Static Route has been defined for the Destination Network, the SonicWALL will use this route instead of passing the traffic on to the VPN Tunnel.

With the introduction of SonicOS Enhanced 4.0, a new option "Allow VPN path to take precedence " has been introduced.

By means of the Diagnostic utility "Find Network path" on the System > Diagnostics page, it can easily be determined if the SonicWALL has been configured with an overlapping route. Note all VPN destination networks defined in the Network tab of the VPN policies. Test each network using the Find Network Path diagnostic tool. If the network is not a static route that may override the VPN tunnel, the utility will report that the network is located on the WAN, either behind the Remote Gateway IP address, or behind your Default Router. This test may not be conclusive if the overlapping Static Route is pointing to the Default Gateway.

4. Default Gateway not pointing to the SonicWALL

In some networks, there are multiple paths to the internet from the LAN, and a host whose Default Gateway is not configured or wrongly confgured will be able to participate in the VPN traffic. The problem computer may not have a Default Gateway set at all (common on platforms which don't offer GUI methods for setting gateways like Windows, and when the server historically has only been reached by local hosts on the same network).

The answer is simply to configure a Default Gateway on the computer (or a route of last resort in a LAN router) pointing to the SonicWALL LAN IP address.

5. Multi-homed computers or computers with dual NICs

Certain servers could have multiple NICs installed in them to communicate with multiple networks. At times this could pose problems for a host on the other side of the VPN tunnel to communicate with the server over the VPN tunnel. The request from the host may reach the server but the reply may go out through the NIC not participating in the VPN tunnel. To rectify this behavior make sure the routes in the servers are configured properly.If all of the above fail to resolve the issue, the following could be tried:
Upgrade both units to the latest firmware if not already done.
Disable the VPN policies on both sides, reboot the SonicWALL and re-enable the policies.
Delete the existing policies and re-create them.

Let me know how it goes!
0
 

Author Comment

by:hutchiesit
Comment Utility
Thank you for your responses.  The strange thing is we have alot of sites setup using VPN,  adding the WLAN zone to the NSA is the new setting.

1.  I have check these again and confirmed the settings are correct.
2. The address object zone assignment on the TZ was LAN for the NSA subnets, this does work when accessing NSA X0 subnet however I have tested changing all address objects on the TZ to VPN however the issue remains
3. I haven't set as static routes, only the automatic ones that get created. However when using Find Network Path to an IP on NSA X2 the response is 'IP is located on the VPN:ALL_NETWORK' It is not behind a router.  Its Ethernet address was not found.   Referring to 2 above this is the same in both zones
4. Default gateway is set to the TZ LAN ip address, the TZ is DHCP.
5. 1 NIC for the laptop

I guess I will try to recreate the policies, unfortunately firmware on the NSA is not an option due to production.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 24

Expert Comment

by:diverseit
Comment Utility
WLAN stands for Wireless Local Area Network. As a rule WLAN should never be used outside of being explicitly Wireless...it's bad form, can cause configuration issues and general confusion.

I have a feeling it has to do with this "WLAN". I'd review the "WLAN" and make sure it's setup as LAN2 or something more appropriate but specifically look at the Security Type and make sure its set to Trusted and not Untrusted or Wireless. Then look to see if it has Interface Trust. If the Security Type or Interface Trust is not what I specified it will not work.

Also, does the TZ have wireless...wondering if there is an overlap if you are using 172.16.x.x network for the "WLAN" on the NSA.

Let me know how it goes!
0
 

Author Comment

by:hutchiesit
Comment Utility
Agree, I have renamed it.

The zone is already trusted plus Interface Trust is set.  TZ does have WLAN that isn't used.

I am at a loss, maybe I can ask SW support.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
I'd double check the X2 network setup in the Address Object make sure it's got the right Zone, Network, Subnet, etc. in the TZ.
0
 

Accepted Solution

by:
hutchiesit earned 0 total points
Comment Utility
Hi
In case anyone is interested the solution form Sonicwall support was to NAT between NSA4500 subnet X2 and TZ LAN.
0
 

Author Closing Comment

by:hutchiesit
Comment Utility
Sonicwall support provided solution which is not ideal.
0
 

Expert Comment

by:jdemoccc
Comment Utility
i know this is an old thread. But im new to sonicwall and am having the same issue you were have. could possibly show me the exact NAT policy that helped you fix this?
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now