Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!
Sonicwall Global VPN Issue - Intermittent packet loss
Hey Guys,
Bit of a weird issue here.
I have a sonicwall TZ200, it is doing DHCP for the VPN users, it also does VPN for the LAN users.
This is a simple one subnet network and two interface firewall. 1 LAN and 1 WAN.
Strange thing is I have managed to get the VPN connecting for my test user, we are using global vpn client.
We are getting massive packet loss, I am pinging things on the lan and losing like 75% of packets.
Funny thing is some are going through, but all have big lag attached.
Unsure of what the issue is really yet.
My first thoughts are to do the below.
1) Use a manual IP on the virtual adapter
2) Change the version of sonicwall global vpn client
Am using a windows 10 laptop for my test user who is connecting.
Bit of a weird issue here.
I have a sonicwall TZ200, it is doing DHCP for the VPN users, it also does VPN for the LAN users.
This is a simple one subnet network and two interface firewall. 1 LAN and 1 WAN.
Strange thing is I have managed to get the VPN connecting for my test user, we are using global vpn client.
We are getting massive packet loss, I am pinging things on the lan and losing like 75% of packets.
Funny thing is some are going through, but all have big lag attached.
Unsure of what the issue is really yet.
My first thoughts are to do the below.
1) Use a manual IP on the virtual adapter
2) Change the version of sonicwall global vpn client
Am using a windows 10 laptop for my test user who is connecting.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Cheers in bad need of some help here. That is all I can say I know you all feel me!
This is very odd looking issue. So I installed newest version of global VPN issue.
Still have roughly 7/10 packets dropping. But the response time has improved drastically.
Agreed J Spoor, exactly what im thinking right now, but that is not a nice fix for me :(. brutal.
No support on the sonicwall. Disaster. This looks like a bug to me.
This is very odd looking issue. So I installed newest version of global VPN issue.
Still have roughly 7/10 packets dropping. But the response time has improved drastically.
Agreed J Spoor, exactly what im thinking right now, but that is not a nice fix for me :(. brutal.
No support on the sonicwall. Disaster. This looks like a bug to me.
Also not sure how I will use a different scope for DHCP over VPN as all of the users here are using DHCP from the sonicwall(lol), I know.
Getting active directory DHCP is another days work.
I guess I will just have to statically assign a new range by MAC to individual VPN users.
The users here have never had a VPN(lol again). So anything will really do.
Also seriously considering buying a Sonicwall SRA.
Getting active directory DHCP is another days work.
I guess I will just have to statically assign a new range by MAC to individual VPN users.
The users here have never had a VPN(lol again). So anything will really do.
Also seriously considering buying a Sonicwall SRA.
There's no known bugs regarding that.
It's usually environmental, or something inside the network triggering this.
In most cases there's ARP issues or IP Conflicts when using the X0 LAN also for remote VPN clients, hence the suggestion to use a unique subnet.
Other VPN issues could have to do with fragmentation, but simple pings should not be impacted with that.
Also check what your core0 is doing, Pings are processed by Core0, so if that's busy with something, pings will be impacted.
It's usually environmental, or something inside the network triggering this.
In most cases there's ARP issues or IP Conflicts when using the X0 LAN also for remote VPN clients, hence the suggestion to use a unique subnet.
Other VPN issues could have to do with fragmentation, but simple pings should not be impacted with that.
Also check what your core0 is doing, Pings are processed by Core0, so if that's busy with something, pings will be impacted.
SonicOS allows to use different scopes inside the firewall for DHCP over VPN.
On the Sonicwall itself just create an interface independent scope, and use the DHCP over VPN optional Relay IP to start using that scope :)
SonicWall SMA (formerly known as SRA) is a really good alternative and may even be the better solution for remote access.
Specially for roaming users, hotels often don't allow IPsec out, but always allow HTTPS traffic :)
On the Sonicwall itself just create an interface independent scope, and use the DHCP over VPN optional Relay IP to start using that scope :)
SonicWall SMA (formerly known as SRA) is a really good alternative and may even be the better solution for remote access.
Specially for roaming users, hotels often don't allow IPsec out, but always allow HTTPS traffic :)
Cheers J Spoor, my Sonicwall is a bit out of date. Why would it be an ARP issue if 10-20% of pings are succesful and very smooth.
It follows a pattern too, i.e. 3 succesfull 7 unsucessfull, 4 succesfull 7 unsucessfull etc.
Always a bunch of success followed by a bigger bunch of failures.
Very strange issue.
I am going to try your suggestion once I have a second.
It follows a pattern too, i.e. 3 succesfull 7 unsucessfull, 4 succesfull 7 unsucessfull etc.
Always a bunch of success followed by a bigger bunch of failures.
Very strange issue.
I am going to try your suggestion once I have a second.
SRA is a much better solution, so many reasons should not be doing VPN like this at FW level these days
Really could do with getting this working for this guy today though.
Really could do with getting this working for this guy today though.
really really bizzare resolution. I was in the process of trying to get virtual ips and interfaces setup for DHCP static as discussed.
i didnt think it was an arp issue tbh with the intermittent pings so consistently.
dont know how this fixed it but it did, keep split tunneling enabled, and enabling the two boxes below fixed it for me, the culprit looks to have been apply vpn policy box. I also installed the GVPN from just before the final firmware release for this firewall, this is a discontinued TZ200 im working on.
i didnt think it was an arp issue tbh with the intermittent pings so consistently.
dont know how this fixed it but it did, keep split tunneling enabled, and enabling the two boxes below fixed it for me, the culprit looks to have been apply vpn policy box. I also installed the GVPN from just before the final firmware release for this firewall, this is a discontinued TZ200 im working on.
set default route as this gateway and apply vpn policy with split tunneling enabled seems to have resolved the issue
sticking with this as the resolution, some other bad config may be causing this but unsure, i noticed that the trusted users group did not have vpn access configured but this does not appear to be the cause of the issue as I tested it.
Think this is a bug in Sonic OS or the FW is dropping packets genuinely, we dont have logs or sys log properly configured here.
sticking with this as the resolution, some other bad config may be causing this but unsure, i noticed that the trusted users group did not have vpn access configured but this does not appear to be the cause of the issue as I tested it.
Think this is a bug in Sonic OS or the FW is dropping packets genuinely, we dont have logs or sys log properly configured here.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP
From novice to tech pro — start learning today.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
1) create a new Scope (e.g.192.168.254.50 - 192.168.254.99 subnetmask 255.255.255.0 gateway 192.168.254.254) which is a unique IP subnet
2) on DHCP over VPN set the optional relay IP to an IP address in the same subnet but outside of the scope (e.g. 192.168.254.254)
this will overcome any IP conflicts and ARP issues.