Sonicwall SSLVPN - Get connected but no LAN access
Given all the posts here and elsewhere this seems to be a common problem.
I have a TZ215 running SonicOS 5.9. I'm able to get connected with NetExtender, but cannot gain access to the LAN subnet.
Have an IP pool setup for addresses which are on the same subnet as the primary subnet (X0). These addresses are specifically for VPN users and are not otherwise used (no conflicts). Tried pinging from both sides with no response (VPN client to LAN subnet and Office LAN subnet to address assigned to VPN client).
Here are some of the settings:
SSL VPN -- Client Settings -- Client Route tab - is set to Lan Primary Subnet.
Users -- Local Groups -- SSLVPN Services -- VPN Access -- is set to Lan Primary Subnet.
Firewall -- Access Rules -- SSLVPN --> LAN is enabled for any service (Checked from LAN --> SSLVPN and that is setup correctly as well).
Users are setup with proper SSLVPN Services group.
Have setup newer units without much effort, but they have a different configuration parameters.
Would appreciate any help!
I have a TZ215 running SonicOS 5.9. I'm able to get connected with NetExtender, but cannot gain access to the LAN subnet.
Have an IP pool setup for addresses which are on the same subnet as the primary subnet (X0). These addresses are specifically for VPN users and are not otherwise used (no conflicts). Tried pinging from both sides with no response (VPN client to LAN subnet and Office LAN subnet to address assigned to VPN client).
Here are some of the settings:
SSL VPN -- Client Settings -- Client Route tab - is set to Lan Primary Subnet.
Users -- Local Groups -- SSLVPN Services -- VPN Access -- is set to Lan Primary Subnet.
Firewall -- Access Rules -- SSLVPN --> LAN is enabled for any service (Checked from LAN --> SSLVPN and that is setup correctly as well).
Users are setup with proper SSLVPN Services group.
Have setup newer units without much effort, but they have a different configuration parameters.
Would appreciate any help!
ASKER
So, would I have to setup an unused interface for another subnet and then change my SSL VPN IP POOL?
How would I accomplish this - step by step?
I did notice I can now ping the Sonicwall X0 interface and a couple printers on the LAN, but still cannot ping the server and cannot access the WEB interface of those printers......
Thank you
How would I accomplish this - step by step?
I did notice I can now ping the Sonicwall X0 interface and a couple printers on the LAN, but still cannot ping the server and cannot access the WEB interface of those printers......
Thank you
with 5.9 you can assign an interface independent subnet
are you using windows firewall on the server? as that might block access from non domain computers.
are you using windows firewall on the server? as that might block access from non domain computers.
Hi Webcc,
If you can ping some of the resources then you are establishing connectivity in the Zone, moreover the subnet. So to clarify are you recieving an IP address within the desired subnet? Perform a packet capture from the SonicWALL or from the SSL-VPN client. Tell me what the drop occurs from, e.g. Policy Dropped, etc.
Do you have any bridged Interfaces and are they assigned different Zone? The server that isn't reachable could be in the other assigned Zone and will not work as you have intended. If that is the case you would need to go to Access Rules and allow access from SSL-VPN > {other_Zone}.
Also, if you couldn't ping the server look at it's Windows Firewall Rules to make sure: 1) Ping is allowed, and 2) that the correct subnets are allowed (make sure the subnets are congruent). Again, if its in a different subnet ping will most likely be blocked unless explicitly allowed.
All users of the SSL-VPN can see the routes specified in the Client Routes section but without appropriate VPN Access on their User or Group they will not be able to access everything shown in the routes. Make sure to set VPN Access appropriately. Have you enabled Tunnel All mode (you should for security reasons!)? Have you specified the DNS and WINS (if applicable) info of your network specific DNS server/s (this should not be a Public DNS but rather internal DNS)?
Make sure your LAN Primary Subnet is in fact where your server and printers reside. Otherwise use Interface specific names, e.g. X0 Subnets, etc. Verify your SSL-VPN binding is to the correct Interface and related subnet.
Lastly, verify the users or User Group is in fact assigned to the SSLVPN Services group by going to Users > Local Groups and expanding the group to reveal the SSLVPN Services group. Also, verify the SSLVPN Services group is showing the Primary LAN Subnet as its access assignment by going to Users > Local Groups and hovering over the Comments icon under the VPN Access column.
I look forward to hearing your results!
Given all the posts here and elsewhere this seems to be a common problem.Yes, there are a lot of misconfigurations out there but either people do not know how to properly setup SSL-VPN or the issue is not related to SSL-VPNs but rather other misconfigurations in their environment.
If you can ping some of the resources then you are establishing connectivity in the Zone, moreover the subnet. So to clarify are you recieving an IP address within the desired subnet? Perform a packet capture from the SonicWALL or from the SSL-VPN client. Tell me what the drop occurs from, e.g. Policy Dropped, etc.
Do you have any bridged Interfaces and are they assigned different Zone? The server that isn't reachable could be in the other assigned Zone and will not work as you have intended. If that is the case you would need to go to Access Rules and allow access from SSL-VPN > {other_Zone}.
Also, if you couldn't ping the server look at it's Windows Firewall Rules to make sure: 1) Ping is allowed, and 2) that the correct subnets are allowed (make sure the subnets are congruent). Again, if its in a different subnet ping will most likely be blocked unless explicitly allowed.
All users of the SSL-VPN can see the routes specified in the Client Routes section but without appropriate VPN Access on their User or Group they will not be able to access everything shown in the routes. Make sure to set VPN Access appropriately. Have you enabled Tunnel All mode (you should for security reasons!)? Have you specified the DNS and WINS (if applicable) info of your network specific DNS server/s (this should not be a Public DNS but rather internal DNS)?
Make sure your LAN Primary Subnet is in fact where your server and printers reside. Otherwise use Interface specific names, e.g. X0 Subnets, etc. Verify your SSL-VPN binding is to the correct Interface and related subnet.
Lastly, verify the users or User Group is in fact assigned to the SSLVPN Services group by going to Users > Local Groups and expanding the group to reveal the SSLVPN Services group. Also, verify the SSLVPN Services group is showing the Primary LAN Subnet as its access assignment by going to Users > Local Groups and hovering over the Comments icon under the VPN Access column.
I look forward to hearing your results!
ASKER
Hello Blue Street Tech,
I've attached a doc with some screen captures i.e., packet monitor and configuration information.
I am receiving IP address 192.168.250.236 which is on the primary subnet (192.168.250.0/24).
I can ping all the printers and Sonicwall X0 interface, but not the Windows server. Can access the
Sonicwall Web interface, but not all the printers Web interfaces - strange.
Just to note - when I connect with the Global VPN client I have no issues at all. Just wondering if maybe a reboot
should be executed before proceeding.....
No bridged interfaces and the zones are correct.
Shutdown the software firewall on the server (Trend Micro).
Your help is appreciated!
TZ215-Info.rtf
I've attached a doc with some screen captures i.e., packet monitor and configuration information.
I am receiving IP address 192.168.250.236 which is on the primary subnet (192.168.250.0/24).
I can ping all the printers and Sonicwall X0 interface, but not the Windows server. Can access the
Sonicwall Web interface, but not all the printers Web interfaces - strange.
Just to note - when I connect with the Global VPN client I have no issues at all. Just wondering if maybe a reboot
should be executed before proceeding.....
No bridged interfaces and the zones are correct.
Shutdown the software firewall on the server (Trend Micro).
Your help is appreciated!
TZ215-Info.rtf
Thanks for the info!
Can you select Export To in the Packet Capture and export to Text. Then attach it!
Can you select Export To in the Packet Capture and export to Text. Then attach it!
ASKER
Problem cleared.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
I prefer to use a unique Subnet / IP range outside of the LAN Subnet myself, this helps overcome possible IP Conflicts and routing issues.