Cannot map to network share on different domain with active site to site VPN


There is an active VPN between the two sites, green light on both Sonicwalls.

Despite the fact that there is an active site to site VPN, I cannot map a drive to a share in that domain, is there a further step I need to take to enable me to map a drive to the location?

Any help appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
It's because your DNS in network A doesn't see FDQN in network B
You can try set second DNS address for Sonicwall A to point to DNS server on side B and vice versa, or if you don;t want to play with Sonic settings, you can set secondary DNS addresses on client computers.
Another approach is to put IP address with domainA name to all domain B computer host file.
If both sites have a DNS server, you could add conditional forwarders.  

This allows the DNS server on site A to ask the DNS server on site B for a record (and vice versa) and pass it back to the client
Rob WilliamsCommented:
Can you map using the IP address?  i..e does \\\ShareName work?  This eliminates DNS and NeBIOS issues, and if works verifies it's not a firewall or routing issue.

Keep in mind, by default the Windows firewall exception is usually for the local subnet only, you may need to add the remote subnet to the firewall exception or set to public.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

mewtdAuthor Commented:
Hi, all, thank you for input.

Our DC is in a Datacenter, I am on a different subnet range, although this subnet range does authenticate via the domain controller in the datacenter.

So I cannot reach the share via name or IP address...

If I am on a remote server in the datacenter, I can map a drive no problem, but that ability was always there.
Rob WilliamsCommented:
>>"If I am on a remote server in the datacenter"  is this the same subnet from which you are trying to do the new mapping on a PC?

If you can authenticate, (those ports are usually open), it would indicate it is not a routing issue and probably not DNS, so I would look to the specific firewall rules on the server to which you are connecting.  It may have specific subnets for file and print sharing.

What is the actual error message you get when the connection fails?
mewtdAuthor Commented:
No, the office that I am in is on a different subnet to the datacenter. We authenticate to the data center domain controller, on that alternative subnet.

I can map to the data center subnet.
The data center subnet can map to the other office.
I cannot map directly to the other office though...
Rob WilliamsCommented:
Definitely sounds like a firewall exception to me.
mewtdAuthor Commented:
Ok, thanks Rob, can you advise what I should open on my SonicWALL side, and I will ask them to do the same at the other office?
Rob WilliamsCommented:
I think the issue is the server's built-in software firewall  that is the issue not the SonicWALL. Most site to site VPNs allow all traffic unless you create rules to block it.

You "should" be able to check the status of the Windows firewall on the server and change using the simple management console; control panel | Windows firewall | Allow and app or feature though Windows firewall | File and printer sharing.
There are 3 boxes; domain, private, and public.  I suspect public is not selected, and thus limited to domain/local connections.
The better and more secure option is to use the Advanced settings and add only the remote subnet.  This is more involved as you have to locate all inbound rules pertaining to file and print. some may not be obvious.  For each rule open the properties and under the scope tab you can specify acceptable subnets, or all.  Be careful not to affect any rules that may already be in place.

The simple test however would be to temporarily disable the Windows firewall, just to see if it resolves the problem.
mewtdAuthor Commented:
Hi Rob, thanks so much for your help here.
Firewall doesn't seem to be the issue. File sharing enabled on public, and not restricted to any domain.
I turned off the firewall completely, and still couldn't reach the mapping... so turned it back on, on the server.
Rob WilliamsCommented:
Just to confirm: your remote site and the server site are on different subnets?  They must be different. And, what is the error you get when the connection fails?
mewtdAuthor Commented:
Correct. I'm on one subnet, my server is on a second, and the mapping I'm trying to make is over to a third. I can map from my server to the third subnet, but not directly to it from my laptop.
Tom CieslikIT EngineerCommented:
There is something confused here
If you do have site-to-site VPN and it's working then you should be able ping anything by IP
It doesn't matter if you are in subnet 192.168.1.x and other site 10.0.1.x
Your firewall (Sonicwall) is doing routing on your gateway so all should work.

This was setup I had 3 years ago when we've moved our company from one location to other and it took 6 months co transfer all equipment and computers.

When you doing PING from then your rout is through gateway, and because gateway has VPN tunneling with other site, then is doing NAT between 2 subnets.

If this is not working then something in your VPN configuration must be not right.

On the beginning you've mentioned 2 sites connected, now you talking about 3rd one.
Is this third one connected via VPN to one of your site A or B ?
mewtdAuthor Commented:
Hi. So all head office servers are in a data centre, including domain controller. My office has a site to site VPN to the data centre. I log in and authenticate via that site to site vpn every day. If I rdp to any server in the data centre I can map to the third location from that server. What I can't do is ping or map directly from my office to the third location.
So three sites. Sites a and b are same domain, but different subnets. Site c is different domain (and subnet).
A can reach b.
B can reach c.
A can't reach c.
Rob WilliamsCommented:
If you are trying to a=>b=>c you will need to define all the routes.  Any device, PC, printer, router, or server, only knows it's own subnet and the gateway, i.e. the next hop.  If location C is not part of your default gateway subnet you need to statically define the route on the each router, as well as the return route to your PC.  Sorry I thought the server to which you were authenticating was also the one with the share.
Tom CieslikIT EngineerCommented:
I log in and authenticate via that site to site vpn every day.

Let say server is site A, Your network is side B and between them you have VPN, you've never specify how side C is connected and where ?
TO your location via VPN or to side A location via VPN.

If is under different domain (domain C) and you're authenticating to domain A then it's normal that you can't map drives on side C since you're not authenticated there.

You need to make triangle to make this work

You need VPN between You (side B and DC on side A) - this one you have now, also you need VPN between You and side C and between side C and Side A
but even there if you going to be authenticated to side A without trust between A and C there is no way you'll get access there or you need to do Map drive to side C using different credentials.
mewtdAuthor Commented:
Hi, I cannot map a drive to the domain site, even with domain admin credentials for that site.

Neither can I ping to a server on that domain.

And yet I have an active VPN to that site.
Tom CieslikIT EngineerCommented:
Are you connected to Side A in same moment when you're connected to side C ?
mewtdAuthor Commented:
I have the exact same situation with a different office and it is working perfectly for that office.
Tom CieslikIT EngineerCommented:
It's going to be hard help you since you're not answering any questions I've asked.
mewtdAuthor Commented:
HI Tom, I'm sorry, but I don't understand your question, that's why I didn't attempt to answer it.

What does this mean?

"Are you connected to Side A in same moment when you're connected to side C ? "
Tom CieslikIT EngineerCommented:
OK, let start again

Side A =====Side B - VPN, maps to shares OK
You(side C on different subnet) =====Side A, OK via authentication, map shares OK
You(side C) ======= Side B, no communication

Like I said before. There is no dirrect ROUTE between You (side C) and Side B

You can check this by typing Route Print in CMD window.

The only way for you to be able to connect is create Rout from Your side C to Side B or establish VPN connection from your subnet to Side B
mewtdAuthor Commented:
HI Tom,

"The only way for you to be able to connect is create Rout from Your side C to Side B or establish VPN connection from your subnet to Side B "

But I have said from the very first post that I have an active VPN connection from my site (C) and site B.

There is an active VPN connection from my site to Site B.
It has a green light. Connection is up.

I cannot map a drive to Site B.

Create a route from my PC to Site B might be the answer?? That sounds interesting... I will try that!
mewtdAuthor Commented:

I added a route on my PC to the IP range of the site B, and although the command completed successfully, I still cannot even ping something on that range...
Tom CieslikIT EngineerCommented:
Can you post Ipconfig /all from your workstation (side C) when 2 VPN connecions are active ?
mewtdAuthor Commented:
HI Tom,

Here is an ipconfig /all from my PC which is on site C:

Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

Q:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : PCNAME
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Broadcast
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . :

Ethernet adapter Ethernet 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Sophos SSL VPN Adapter
   Physical Address. . . . . . . . . : 00-FF-66-77-E0-A2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection
   Physical Address. . . . . . . . . : F0-91-1C-77-43-5C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Lease Obtained. . . . . . . . . . : 05 December 2017 09:16:29
   Lease Expires . . . . . . . . . . : 06 December 2017 09:16:29
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM943228HM4L 802.11a/b/g/n 2x2 WiFi Adapter
   Physical Address. . . . . . . . . : 34-AX-87-BD-47-81
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 36-55-87-BD-72-86
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 80-56-F2-D0-22-37
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tom CieslikIT EngineerCommented:

It looks like your DHCP is on your router and your DNS is from different subnet

Your IP
Your DHCP and Gateway
Your DNS

So if I understand right you router has 2 VPN connections to side A and B active now right ?
This is site-to-site VPN probably

Is this VPN is set identically for both sites ?

For me it looks like your firewall is not creating a route from your subnet to site B, this can be cause because your VPN 2 connection is not Trusted or is inactive.
Check in Sonicwall if you have 2 tunnels active
mewtdAuthor Commented:
HI Tom,
The office I am in (Site C) has its own SonicWALL which hands out IP addresses in the 10.0 range.

The domain controller is in site A (which is the 1.0 subnet). That domain controller does the authentication for the office here.

So, yes, out SonicWALL in the office has two active VPN connections.
1 to the Data center, to the servers on the 1.0 range.
2 to the other office which is on a completely different subnet range (90.0)

VPN looks identical from both sides, it is also active from both sides.

How do I create a route to the 90.0 subnet from my SonicWALL here on the 10.0 subnet?
Rob WilliamsCommented:
We already discussed using the IP such as \\\Sharename, but I see you have Google as alternate DNS servers.  This is a definite "no no", but especially when connecting to remote sites.  DNS does not wait for the first DNS server to time out before connecting to a second.  Thus the second, Google, will likely respond first and advised it cannot resolve the name and end of session.  You should ONLY list the corporate DNS server in the DNS config, or use the IP.  Also is the PC a member of the Domain?  I see domain.local  Is that just edited for security?
mewtdAuthor Commented:
Hi Rob,
I cannot map to the IP address\sharename
I removed all references to Google in the DNS for the domain controller, and re-started DNS service.
No change, unfortunately.
My pc is a member of a domain, but remember the DC that it authenticates to is located in a data center, the 1.0 subnet.

I just edited domain.local for security...
Rob WilliamsCommented:
You mentioned it didn't work before, but thought it's a good idea to remove any other potential problems.  It does sound like a routing issue.  You mention Sophos VPN does it have any restrictions?  I don't know Sophos but some require you set subnets as trusted.
mewtdAuthor Commented:
Does sound like a routing issue, so can you advise on setting up a direct route between the two sonicwalls (from site C to site B)?
Rob WilliamsCommented:
I am afraid I am no help with SonicWALLs.  You can do it with static routes  if you have access to all the devices.

Assume:  Site A 192.168.20.x <=> VPN <=> Site B 192.168.10.x <=> VPN <=> Site C 192.168.1.x
G = IP of local VPN router

You would need static routes similar to below.  These are windows commands, you will need the VPN router commands or a GUI to achieve the same
On the site A router route -p add mask  192.168.20.G
On the site B router route -p add mask  192.168.10.G
On the site B router route -p add mask  192.168.10.G
On the site C router route -p add mask  192.168.1.G

The site B router entries may not be necessary if covered by default VPN routing
Tom CieslikIT EngineerCommented:
Go to system, packet monitor and enable filter for IP you want to ping, then ping -t IP on other VPN site
Check in monitor what is response from Sonicwall, if route is available and what is blocking your route
mewtdAuthor Commented:
HI Tom,
On the SonicWALL, put a filter on for site B and started a capture.

Started a constant ping to that IP but it never returned a response and SonicWALL never captured anything.

If I do a tracert to the IP, it immediately returns to say "Unable to resolve target system name"
Tom CieslikIT EngineerCommented:
If side B has DNS or DC, try for test put this DNS IP as your secondary DNS on NIC properties and try again
mewtdAuthor Commented:
HI Tom,

I tried adding the Server B DNS address in as secondary DNS on my DC, but unfortunately no change. Cannot even ping the server, never mind map a drive to it.

@Rob - adding the static routes, is that something you suggest I do on the SonicWALL here, or on the client PC. I believe I tried adding a  route yesterday on my PC, but unfortunately it made no difference.
Tom CieslikIT EngineerCommented:
This is very strange situation or you've missed something.
You stated you have VPN between You - side C and side B but you can't do nothing.
Are you sure VPN is working (except green lights in SonicWall ?)
Are you able to ping your network from side B (try use remote connection, vnc, teamviewer and confirm)
If not then I think you must re-design your VPN on both routers side B and side C
mewtdAuthor Commented:
H Tom, it is indeed a very strange situation!!!

VPN is active, yet I cannot do anything, correct!
Tom CieslikIT EngineerCommented:
Again,,,, are you sure VPN is working ? did you test it from side B to C ?
If you can't do anything from side C to B then is NOT WORKING !!!
mewtdAuthor Commented:
Well I can only go by the VPN indicator on the Sonicwalls, both of which tell me the VPN is UP!

Is this SonicWALL VPN indicator unreliable?
Tom CieslikIT EngineerCommented:
If you have problem with routing I would like to know if problem is only from your computer side C to Side B or if also from Side B to Side C
If there is 2 way communication problem then Yes, VPN is not working.

Indicator is checking only heartbeats, not real traffic.
mewtdAuthor Commented:
Both ways, Tom. I cannot ping or map from my side C to side B, and also from side B I cannot ping or map back to here...
Tom CieslikIT EngineerCommented:
Then I think your VPN is not working.
Try disable this VPN connection and since you have access to both sides via some remote software create new VPN tunnel between side B and C from scratch. In SonicWall there is a Wizard that will help you with this task and it's very easy to setup Site-to-Site VPN
Rob WilliamsCommented:
Ping is not really a good test as at least Windows devices do not enable the firewall ping exception by default.
I am also wondering if at log on it is not actually authenticating but rather using cached credentials which will work even with the network cable disconnected.
Rob WilliamsCommented:
PS- does    \\IP_of_domain_controller\NETLOGON  display anything
Tom CieslikIT EngineerCommented:
Rob,,, he have said
If I do a tracert to the IP, it immediately returns to say "Unable to resolve target system name"

It looks like there is no active VPN or something is messing up with his route
mewtdAuthor Commented:

I have logged on to my laptop as different user, who has not logged on to my laptop before so definitely not on cached credentials, and that account could not ping or map.

 \\IP_of_domain_controller\NETLOGON  brought me to folder with all the login scripts for my domain
Tom CieslikIT EngineerCommented:
Like I said before, if you can;t trace route from Side B to you laptop IP on side C, then for 99% VPN is not working or is set with error
mewtdAuthor Commented:
OK, I deleted the VPN.

Used the wizard to re-create it.

VPN was down!

Went into settings, and saw that the wizard had made the VPN aggressive mode.
Changed this to main mode.

VPN came up immediately, with big green light.
Rob WilliamsCommented:
>" \\IP_of_domain_controller\NETLOGON  brought me to folder with all the login scripts for my domain "
Then the VPN is up and running.
Tracert will not work if Pings are blocked
mewtdAuthor Commented:
Rob, I was on my own laptop, logged on to my own domain,  \\IP_of_domain_controller\NETLOGON  brought me to my own server.
mewtdAuthor Commented:
When I run that command for the remote domain IP I get "Network access id denied"
Tom CieslikIT EngineerCommented:
There is an option to Disable (not delete) VPN.
Can you for test only disable VPN to your main office A, then check if you going to be able PIN Office B one of IP address ? Also try connect from B to C
mewtdAuthor Commented:
Hi, no luck unfortunately.
I spoke with sonicwall support. They said other office has NAT rules applied for the VPN which aren't necessary. I have asked admin on their end to remove, and we'll see if that helps...
Tom CieslikIT EngineerCommented:
Site-to-Site VPN should have NAT disable by definition.
If you're using Wizard to create Site-to-Site VPN, NAT is disabled for default
mewtdAuthor Commented:
Hi Tom, I did not have NAT enabled on my side, do you agree that this is likely to be the problem? If so, happy to close question...
Tom CieslikIT EngineerCommented:
Yes, because if you trying PING let say (server on site B) and this IP is not present on other end of VPN because of NAT then you not going to be able PING are access IP you want.

That's why I asked you if VPN settings are correct
mewtdAuthor Commented:
This was always trickier because I could only see one sonicwall, I am grateful for all troubleshooting, and will close now...
Rob WilliamsCommented:
Glad to hear you resolved.  Thanks mewtd.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.