Solved

Can't ping hosts on VPN or any external hosts (eg google.com)

Posted on 2014-04-02
6
228 Views
Last Modified: 2014-11-11
Hi all,

I just noticed today that I can no longer ping any of our VPN endpoints (all Sonicwalls), though our own SW reports that the VPNs are active.  I also cannot ping any external hosts, such as google.com, yahoo.com, etc...

I just noticed this today, it's certainly a very new problem, as I have batch files written that ping our various VPN endpoints, and I run them frequently if there's ever an issue, or I want to confirm connectivity, and they have always worked before.

If I use a different Internet connection (not connected to the SW), I can ping Google etc, so it's not a Windows issue.  I have done 2 soft restarts and 1 hard restart on our SW.  Immediately after restarting, the SW allows pings to all of the locations I mentioned above, but then the replies stop, about 20-30 seconds after restarting.  Around the same time, I see in the logs this message:

ICMP packet dropped due to policy

The funny part in all this, is that the SW has not been changed in months, so I don't get why it's suddenly blocking all these outbound pings.

Does anyone know what I could check or change to restore the ability to ping?

Thanks

Paul
0
Comment
Question by:paulc2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972569
Sounds like you have ICMP disabled in your Sonicwalls. Check there, likely everything is working find but the Sonicwall configuration was updated to disallow this at some point by someone.
0
 

Author Comment

by:paulc2000
ID: 39972620
Thanks, but nothing was changed.

Anyway, how do I enable it?  Googling it just shows how to set up the Sonicwall to respond to pings.
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972625
Well something has changed, you used to be able to ping and now you cannot.

The messages you are getting via the log are from the sonicwalls saying ICMP is not permitted by the policy, so most likely the policy used by the sonicwalls are disableing ICMP.
0
Ready to trade in that old firewall?

Whether you need to trade-up to a shiny new Firebox or just ready to upgrade from whatever appliance you're using now, WatchGuard has the right appliance for you! Find your perfect Firebox today with appliance sizing tool!

 

Author Comment

by:paulc2000
ID: 39972817
I can't see what policy is blocking it, and I don't understand why a ping would be blocked on a VPN, in any case?

Here is the full log entry, if there's anything more you can see.  This is what happens when my PC (192.168.3.40) has a continuous ping to google.ie (193.120.166.95).  As I mentioned above, the first ~75 pings after a restart reply as normal, but then the new policy kicks in.  Why doesn't it kick in immediately?  None of this makes sense...

Sonicwall log entry
0
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 500 total points
ID: 39972826
The log entry shows that per the policy (firewall rules) interface X1 --> X0 does not allow ICMP through.

If you review the policy and believe this is adverse to the policy you will need to contact Sonicwall support for further assistance.
0
 

Author Comment

by:paulc2000
ID: 39972919
There is no such policy for the WAN interfaces, nor is there for the VPN.  I will contact SW support.  Thanks for your help.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question