Solved

Can't ping hosts on VPN or any external hosts (eg google.com)

Posted on 2014-04-02
6
227 Views
Last Modified: 2014-11-11
Hi all,

I just noticed today that I can no longer ping any of our VPN endpoints (all Sonicwalls), though our own SW reports that the VPNs are active.  I also cannot ping any external hosts, such as google.com, yahoo.com, etc...

I just noticed this today, it's certainly a very new problem, as I have batch files written that ping our various VPN endpoints, and I run them frequently if there's ever an issue, or I want to confirm connectivity, and they have always worked before.

If I use a different Internet connection (not connected to the SW), I can ping Google etc, so it's not a Windows issue.  I have done 2 soft restarts and 1 hard restart on our SW.  Immediately after restarting, the SW allows pings to all of the locations I mentioned above, but then the replies stop, about 20-30 seconds after restarting.  Around the same time, I see in the logs this message:

ICMP packet dropped due to policy

The funny part in all this, is that the SW has not been changed in months, so I don't get why it's suddenly blocking all these outbound pings.

Does anyone know what I could check or change to restore the ability to ping?

Thanks

Paul
0
Comment
Question by:paulc2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972569
Sounds like you have ICMP disabled in your Sonicwalls. Check there, likely everything is working find but the Sonicwall configuration was updated to disallow this at some point by someone.
0
 

Author Comment

by:paulc2000
ID: 39972620
Thanks, but nothing was changed.

Anyway, how do I enable it?  Googling it just shows how to set up the Sonicwall to respond to pings.
0
 
LVL 10

Expert Comment

by:0xSaPx0
ID: 39972625
Well something has changed, you used to be able to ping and now you cannot.

The messages you are getting via the log are from the sonicwalls saying ICMP is not permitted by the policy, so most likely the policy used by the sonicwalls are disableing ICMP.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:paulc2000
ID: 39972817
I can't see what policy is blocking it, and I don't understand why a ping would be blocked on a VPN, in any case?

Here is the full log entry, if there's anything more you can see.  This is what happens when my PC (192.168.3.40) has a continuous ping to google.ie (193.120.166.95).  As I mentioned above, the first ~75 pings after a restart reply as normal, but then the new policy kicks in.  Why doesn't it kick in immediately?  None of this makes sense...

Sonicwall log entry
0
 
LVL 10

Accepted Solution

by:
0xSaPx0 earned 500 total points
ID: 39972826
The log entry shows that per the policy (firewall rules) interface X1 --> X0 does not allow ICMP through.

If you review the policy and believe this is adverse to the policy you will need to contact Sonicwall support for further assistance.
0
 

Author Comment

by:paulc2000
ID: 39972919
There is no such policy for the WAN interfaces, nor is there for the VPN.  I will contact SW support.  Thanks for your help.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
logon script 9 96
AnyConnect VPN endpoint authentication/validation 4 61
Sonicwall VPN and DHCP Setup 10 95
FTP through ASA 9.5 1 39
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question