[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Can't ping hosts on VPN or any external hosts (eg google.com)

Posted on 2014-04-02
6
Medium Priority
?
237 Views
Last Modified: 2014-11-11
Hi all,

I just noticed today that I can no longer ping any of our VPN endpoints (all Sonicwalls), though our own SW reports that the VPNs are active.  I also cannot ping any external hosts, such as google.com, yahoo.com, etc...

I just noticed this today, it's certainly a very new problem, as I have batch files written that ping our various VPN endpoints, and I run them frequently if there's ever an issue, or I want to confirm connectivity, and they have always worked before.

If I use a different Internet connection (not connected to the SW), I can ping Google etc, so it's not a Windows issue.  I have done 2 soft restarts and 1 hard restart on our SW.  Immediately after restarting, the SW allows pings to all of the locations I mentioned above, but then the replies stop, about 20-30 seconds after restarting.  Around the same time, I see in the logs this message:

ICMP packet dropped due to policy

The funny part in all this, is that the SW has not been changed in months, so I don't get why it's suddenly blocking all these outbound pings.

Does anyone know what I could check or change to restore the ability to ping?

Thanks

Paul
0
Comment
Question by:paulc2000
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972569
Sounds like you have ICMP disabled in your Sonicwalls. Check there, likely everything is working find but the Sonicwall configuration was updated to disallow this at some point by someone.
0
 

Author Comment

by:paulc2000
ID: 39972620
Thanks, but nothing was changed.

Anyway, how do I enable it?  Googling it just shows how to set up the Sonicwall to respond to pings.
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972625
Well something has changed, you used to be able to ping and now you cannot.

The messages you are getting via the log are from the sonicwalls saying ICMP is not permitted by the policy, so most likely the policy used by the sonicwalls are disableing ICMP.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 

Author Comment

by:paulc2000
ID: 39972817
I can't see what policy is blocking it, and I don't understand why a ping would be blocked on a VPN, in any case?

Here is the full log entry, if there's anything more you can see.  This is what happens when my PC (192.168.3.40) has a continuous ping to google.ie (193.120.166.95).  As I mentioned above, the first ~75 pings after a restart reply as normal, but then the new policy kicks in.  Why doesn't it kick in immediately?  None of this makes sense...

Sonicwall log entry
0
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 2000 total points
ID: 39972826
The log entry shows that per the policy (firewall rules) interface X1 --> X0 does not allow ICMP through.

If you review the policy and believe this is adverse to the policy you will need to contact Sonicwall support for further assistance.
0
 

Author Comment

by:paulc2000
ID: 39972919
There is no such policy for the WAN interfaces, nor is there for the VPN.  I will contact SW support.  Thanks for your help.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question