Sonicwall Netextender connects but fails to pass traffic

Sonicwall NSA 3400, connecting over sslvpn using NetExtender 8.0.  I am getting the correct IP upon connection.. I've added routes to all the internal subnets.  However I can't even ping the DGW.

LVL 14
Ben HartAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

can I double check you have put in the firewall rule to allow the traffic?
vpn > lan
all vpn clients >LAN ip addrs > allow ?
Blue Street TechLast KnightCommented:
Hi Ben,

If it is handing out the IP you should be passing traffic.

Where is your DHCP located?
Are you using Tunnel All Mode or Split Tunnel?
Make sure your Client Routes are setup correctly.

Go under Users > Local groups, ensure that the relevant user group is a member of the “SSLVPN Services” group:

Under Users > Local groups, ensure that “SSLVPN Services” group has VPN access to LAN Subnets. In case it doesn't have such access click on configure button for "SSL VPN Services" group and go to VPN Access tab.
Add LAN Subnets to Access List.

Go to SSL VPN>Client Settings and then to Network>Interfaces and check if the Net Extender IP range is the same as on the interface to which it is related to (X0 in example).

In Network>Interfaces click "Add Interface" and configure it with a different range of IP addresses.

Go to SSL VPN>Client Settings  and change interface to the created virtual interface from above and modify the NetExtender Start and End IP to the range for that interface.

Now Test it by reconnect to SSL VPN using Net Extender.
IP address from new range should be assigned.
Open a command line and try ping any device in LAN from a PC connected via NetExtender - you should receive a response.

Let me know how it goes!
Ben HartAuthor Commented:
Thanks diverse. I did some other testing before you posted this that might conflict.  So the current siautaion is:

ssl vpn ip rage:
ssl vpn dns: (valid)

Connecting from a client I can ping the sslvpn interface X4 @ and any host on the Lan interface (or my core switches VLan1) of
I cannot ping any host on any other subnet in my VLANs address group witch includes:,,

The VLAns address group was added to the list under Users> local users for SSLVPN services access.

As a test I removed the VLANs entry and added my servers vlan entry.  Cannot ping.

This is setup for the tunnel all mode, and my DHCP is not handling the SSL VPN scope.. the sonicwall is setup to dole those IP's out.  Which I just discovered.. my client is missing a DGW on the NetExtender interface.  Maybe thats a problem.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

sorry I'll repeat my one I think it got over looked
can I double check you have put in the firewall rule to allow the traffic?
 vpn > lan
 all vpn clients >LAN ip addrs > allow ?
let me make it more complicated..
Sonicwall as least my NSA 5600 units, add in firewall rules as default to the interface VPN and my LAN (interface 1x)
that default rule says allow all traffic from VPN to LAN subnets.
(so what you are experiencing is what has happened "Connecting from a client I can ping the sslvpn interface X4 @ and any host on the Lan interface (or my core switches VLan1) of")
This is grate if you use your NSA as a router too so it knows of your entire internal subnet ranges.
if like me you don't then the NSA will only know about the range you have put on the "LAN" interface there by only allowing traffic between your LAN subnet and VPN clients.
(again " I can ping the sslvpn interface X4 @ and any host on the Lan interface")
so if you add a rule allowing all VPN DHCP clients to all internal addresses you will then have coms.
I have 2 address object 1 called VPN clients contains the address range the VPN clients  get when connecting, the other is called "internal clients" that contains all subnets on my network I use super subnetting so I don't have a massive list.
Ben HartAuthor Commented:
No sadly we do use our Sonicwall as a router internally. (not my choice).. However my sonicwall does have address object for every subnet we have.  Looking under the Firewall settings I have rules for the following:

LAN > SSLVPN (for all subnets including X4 Subnet and X0 Subnet, also Any)
SSLVPN > LAN (same as above)

I tried it this way as a last ditch effort after having an address group of VLANS that encompassed all of those that did not work as well.
Blue Street TechLast KnightCommented:
Did you mean NSA my knowledge there is no 3400 in existence.

In any case for Tunnel All mode you need to allow “WAN RemoteAccess Networks” (a network address object whose value acts like a default route), and the Tunnel All option must be selected on the Client Routes page.  The method is appropriate when the administrator wants all of their NetExtender users to have their internet access provided through the SSLVPN.  Be sure that you are not overwhelming the internet bandwidth at the location where the firewall is installed, as this traffic will be added to the other loads from inside the network. To do this follow below:

On the Users > Local Groups screen, configure SSLVPN Services group and under tab “VPN Access,” add the object WAN RemoteAccess Networks.

Tunnel All mode should provide you with a DWG.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.