Solved

Can't ping hosts on VPN or any external hosts (eg google.com)

Posted on 2014-04-02
6
224 Views
Last Modified: 2014-11-11
Hi all,

I just noticed today that I can no longer ping any of our VPN endpoints (all Sonicwalls), though our own SW reports that the VPNs are active.  I also cannot ping any external hosts, such as google.com, yahoo.com, etc...

I just noticed this today, it's certainly a very new problem, as I have batch files written that ping our various VPN endpoints, and I run them frequently if there's ever an issue, or I want to confirm connectivity, and they have always worked before.

If I use a different Internet connection (not connected to the SW), I can ping Google etc, so it's not a Windows issue.  I have done 2 soft restarts and 1 hard restart on our SW.  Immediately after restarting, the SW allows pings to all of the locations I mentioned above, but then the replies stop, about 20-30 seconds after restarting.  Around the same time, I see in the logs this message:

ICMP packet dropped due to policy

The funny part in all this, is that the SW has not been changed in months, so I don't get why it's suddenly blocking all these outbound pings.

Does anyone know what I could check or change to restore the ability to ping?

Thanks

Paul
0
Comment
Question by:paulc2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972569
Sounds like you have ICMP disabled in your Sonicwalls. Check there, likely everything is working find but the Sonicwall configuration was updated to disallow this at some point by someone.
0
 

Author Comment

by:paulc2000
ID: 39972620
Thanks, but nothing was changed.

Anyway, how do I enable it?  Googling it just shows how to set up the Sonicwall to respond to pings.
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972625
Well something has changed, you used to be able to ping and now you cannot.

The messages you are getting via the log are from the sonicwalls saying ICMP is not permitted by the policy, so most likely the policy used by the sonicwalls are disableing ICMP.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 

Author Comment

by:paulc2000
ID: 39972817
I can't see what policy is blocking it, and I don't understand why a ping would be blocked on a VPN, in any case?

Here is the full log entry, if there's anything more you can see.  This is what happens when my PC (192.168.3.40) has a continuous ping to google.ie (193.120.166.95).  As I mentioned above, the first ~75 pings after a restart reply as normal, but then the new policy kicks in.  Why doesn't it kick in immediately?  None of this makes sense...

Sonicwall log entry
0
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 500 total points
ID: 39972826
The log entry shows that per the policy (firewall rules) interface X1 --> X0 does not allow ICMP through.

If you review the policy and believe this is adverse to the policy you will need to contact Sonicwall support for further assistance.
0
 

Author Comment

by:paulc2000
ID: 39972919
There is no such policy for the WAN interfaces, nor is there for the VPN.  I will contact SW support.  Thanks for your help.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question