Solved

Site to site VPN on SBS 2003

Posted on 2014-02-21
11
355 Views
Last Modified: 2014-02-24
I am trying to establish a seamless connection to our western and Eastern Offices.  One site has sbs server 2003,  the east  just has about 5 computers that I want to have them logon to our primary domain.  I had setup a site to site VPN with. Sonicwall firewalls.  I noticed that the connection for the remote computers is exceptionally slow.  I had to enter the dns of the domain controller. To the remote computers just to make a connection to the domain.  Is there something I may have missed to cause it to behave the way it is?
0
Comment
Question by:Mikejett
  • 6
  • 5
11 Comments
 
LVL 11

Expert Comment

by:Miftaul
ID: 39878669
Your two sonicwall has public ip and you created s2s vpn on them.
You used AD dns on remote site computets.

Now you feel network connection is slow. Do you mean, file transfer, or internet seems slow. Can you run iperf to measure the throughput on the vpn.

I did similar setup last week and its working fine.
0
 

Author Comment

by:Mikejett
ID: 39879299
This is the first time I set something like this up.  I had a sonicwall support engineer help me created the S2S.  I originally setup the XP remote machines on the primary domain. The machines were then shipped to our other site.  I had an issue with the trust relationship being broken so I had to rejoin them to the domain.  In the adapter settings of the remote computers I had to enter the AD dns or it simply would not establish a connection.  The second dns was 8.8.8.8, without it I could not access internet.  I can easily ping back and forth and both sites have a very fast internet speeds.

Once the computers are joined and rebooted the login to the domain for example takes about 10mins, launching outlook took almost 30mins.  Just incredibly slow and unusable.

You mentioned you did a similar setup.  did you have the remote computers join the primary domain or did you have them on a work group instead?

Anything special at the  PDC that I need to do for the remote site.

I must be overlooking something.
0
 
LVL 11

Accepted Solution

by:
Miftaul earned 500 total points
ID: 39879327
Yes, I have similar setup running on my 8 sites, all clients are pointing to the Main site. All the computers are joined to the Mainsite domain, the remote sites are separate subnets. The primary DNS is set to MainSite AD IP and my dns server can resolve to internet addresses. Last week I did another setup where DNS is pointing to main site IP and secondary DNS is 8.8.8.8 like yours.

On the Sonicwall Site to Site Config, please check Local & Peer IKE ID is selected as "IP address". On Proposals Tab, check IKE phase 1 Exchange is selected as "Main Mode" and DH Group is selected as Group 2.  Also in the Advanced tab, check "Enable Windows Networking (NetBIOS) Broadcast" is selected.

The clients just works without any additional setup on the AD on Site to Site.
0
 

Author Comment

by:Mikejett
ID: 39880646
I was able to check out the sonicwall at our main site.  It is setup exactly as you had recommended.  I will be checking the remote firewall tomorrow.  I assume it is setup the same way, but I will verify.  The remote site is on a different subnet as well.  I will update the post shortly.  Miftaul, thank you for all your comments.

I am assuming the firewalls must be the culprit in some way.  When I was at the remote site, I was able to ping both sites without delay, also dns was able to resolve.  Eventually remote pcs were able to join domain as well (after a long period of time). I also tried to launch a web browser on a remote pc (once it was joined to the domain) and that took forever to just get to a web home page.  I thought that was a bit strange too.  Wouldn't the local gateway provide internet services?  all clients on remote site are DHCP and the remote sonicwall provides the addresses.  I tired for the heck of it to add the gateway of the main site to the remote adapters to see if that would make any difference and it had no affect.  

The only way I can effectively work on those pcs remotely is to have them join a workgroup, then internet service resumes as normal.  I will remote session into them tomorrow, check the firewall and see what else may be going on.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39880666
Could you please do an IP config on the remote site computer and ensure that the primary DNS is set to main site IP and secondary DNS is set to remote site ISP DNS or any public DNS IP. Also default gateway in the remote site is to be set to the remote site Sonicwall X0 interface IP.

Is sonicwall providing the DHCP on the remote site?

Also confirm that all traffic is allowed in the Firewall access rule from VPN to VPN and VPN to LAN.

Just for curiosity, can you check on both the sonicwall that the Address object for the remote site subnet that is set in Site to Site VPN is created as in VPN zone and not WAN zone.
0
 

Author Comment

by:Mikejett
ID: 39880734
Noticed on the primary domain firewall that traffic for VPN to LAN has the option "any" for its source, destination and services fields.

The VPN to VPN has specific sources and destinations in allowed services.  I do not see a rule for VPN to VPN to have the "any" designation in all 3 fields for source, destination and services ( like the VPN to LAN has) Should I add another rule for VPN to VPN to reflect exactly what the VPN to LAN has?
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39880735
No, leave the settings as they are.

Did you check the address objects which zone the remote subnet is defines, it should be VPN
0
 

Author Comment

by:Mikejett
ID: 39880740
These are all the rules at the main site sonicwall for VPN to VPN

 VPN > VPN 1 Any All Interface IP SNMP Allow All None                  
 VPN > VPN 2 Any All Interface IP SSH Management Allow All None                  
 VPN > VPN 3 Any All Interface IP HTTPS Management Allow All None                  
 VPN > VPN 4 Any All Interface IP HTTP Management Allow All None                  
 VPN > VPN 5 Any WAN RemoteAccess Networks Any Allow All None                  
 VPN > VPN 6 WAN RemoteAccess Networks Any Any Allow All None                  
 VPN > VPN 7 Any WLAN RemoteAccess Networks Any Allow All None                  
 VPN > VPN 8 WLAN RemoteAccess Networks Any Any Allow All None
0
 

Author Comment

by:Mikejett
ID: 39880744
I did check the primary firewall's address objects and the remote subnet it defines is VPN.

I will check remote firewall's settings tomorrow to see if it has the same thing.
0
 
LVL 11

Expert Comment

by:Miftaul
ID: 39880748
VPN - VPN seems to be OK. Please check the remote site SW when you get time.
0
 

Author Comment

by:Mikejett
ID: 39883392
The firewall at remote site checked out fine.  For the heck of it, I rebooted the PDC at main site and for whatever reason everything works like a charm now.  

Thanks for all your help.
0

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now