• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 202
  • Last Modified:

VPN, Ping Problem

Hi All,

My company Scenario:

I have connected the branch office to main office using VPN.

Main office is running under domain environment and using a Watch guard as a firewall.
Branch office is running in a work group environment and using a Billion VPN Wi Fi router.

VPN has been set up between Watchguard Firewall (XTM26) and Billion Wifi Router (Bi Pac 8920nz)

VPN is working fine. I am able to take remote of all the computers located in to the branch office using "Microsoft Remote Desktop" from the main office.  

Problem:

I am not able to ping any of the branch office computers. I can ping branch office wifi router and network printer only. What could be the reason?
0
Mitul Prajapati
Asked:
Mitul Prajapati
  • 9
  • 8
  • 4
  • +2
1 Solution
 
Tom CieslikIT EngineerCommented:
If you can ping printers on other site of VPN tunnel then it mean tunnel is working ok and firewall is not blocking your PING request.
If you can remote to computers make sure that File and Printer sharing service is ON on remote workstation and there is not rule in GPO for firewall settings that blocking PING.
For test only you can turn OFF firewall on one of remote computer and check if PING will work.
0
 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
Hi Tom,

Thank you for getting back to my question soon.

I already have checked for file and printer sharing service on all the computers in branch office. They all can PING each other without any issue.
0
 
Tom CieslikIT EngineerCommented:
Hm,,, you said you can ping printers inside this network, is they are connected to same subnet/switch as computers ?
Can you try PING your computer from remote computer by IP ? (You need to check what IP you have after VPN connection)
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
All are in same the subnet (192.168.6.0/24)... I can ping selected computer in to the main office from the branch office as we have set ping restriction to certain computers
.

For example:

From Branch office computer, I can ping 5-6 computers of main office (Which are allowed to ping from external network)
0
 
Tom CieslikIT EngineerCommented:
Strange, can you try tracert from your computer connected to VPN to computer you're connecting via RDP ? Is it reaching destination ?
0
 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
From Main Office (Subnet : 192.168.1.0/24)

I can reach to Wifi Router and Printer Only by using tracert command


C:\Windows\System32>tracert 192.168.6.254  (Wifi Router)

Tracing route to 192.168.6.254 over a maximum of 30 hops

  1     1 ms    <1 ms    <1 ms  192.168.1.1
  2   413 ms   382 ms   402 ms  192.168.6.254



C:\Windows\System32>tracert 192.168.6.150     (Printer)

Tracing route to BRN3C2AF42DE44F [192.168.6.150]
over a maximum of 30 hops:

  1     1 ms     1 ms     1 ms  192.168.1.1
  2     *        *        *     Request timed out.
  3   462 ms   448 ms   456 ms  BRN3C2AF42DE44F [192.168.6.150]



C:\Windows\System32>tracert 192.168.6.2      (Computer not reachable, but can take a remote)

Tracing route to 192.168.6.2 over a maximum of 30 hops

  1     1 ms     1 ms    <1 ms  192.168.1.1
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.


Same thing happen from the branch office.

Can ping and take certain computers which are allowed by Watchguard firewall.
0
 
Tom CieslikIT EngineerCommented:
It looks like ICMP protocol is blocked from your network through VPN
Try to check firewall policy and make sure that TCP/UDP port I believe 7 is open from VPN to inside
0
 
Tom CieslikIT EngineerCommented:
Can you shut down firewall on 192.168.6.2  computer and try PING it.
I still think this is a local computer restriction
0
 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
All the computers in branch office are PINGING each other without any issue and I have tried the same thing but has no luck.

For Example:

Ping 192.168.6.1 --> 192.168.6.2  is successful.
Ping 192.168.6.2 --> 192.168.6.1  is successful.
Ping 192.168.6.1 --> 192.168.1.4  is successful. (Main office computer)
Ping 192.168.6.2 --> 192.168.1.5  is successful. (Main office computer)
Ping 192.168.6.2 --> 192.168.1.88  is not successful. (Main office computer, restriction in watch guard firewall)

As you said, I need to check the firewall ICMP settings.. Do you advise to check watch guard of Billion router firewall?
0
 
Tom CieslikIT EngineerCommented:
Definitely. Problem must be on other site
0
 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
I am going to re-check firewall ICMP settings. Will posted back if i will find something.

Salute to you Tom. Really appreciated your response.

If you still wanted to give me an advise, then you are most welcome. I will look in that direction for sure.
0
 
Tom CieslikIT EngineerCommented:
Check Incoming filter setup page, I thing this is a place where you can define ICMP protocol to go through

Page 160

http://au.billion.com/downloads/usermanual/wireless/8920-User_Manual.pdf
1
 
n22383Commented:
Are the computers in the branch office connected via a seperate domain than the main office?  It could be that your PC firewall policies allow for icmp between trusted devices on the domain, but not from untrusted devices "Public" that do not originate on their network.  Can you do a packet capture and watch for the icmp traffic at the branch office firewall? and then again at the PC you are trying to ping.  This will tell you if the packet is reaching the destination.  you may have to temporarily disable the firewall on the PC in the branch office you are attempting to ping from the main office.  Let us know what you see.
0
 
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Can you ping the computers in the main office from the branch office computers?

Watchguard also have an IP block list, doubt this is the issue though.
Why dont you use an any rule to trouble shoot.

Allow all traffic between both sites on all ports temporarily to see if this resolves the issue, then work it from here.
0
 
Rob WilliamsCommented:
Default Windows firewall rules allow for pings from local subnet, but no others.  You will need to add remote subnets or set to "public" (i.e. all)
0
 
Tom CieslikIT EngineerCommented:
Rob, he said he can ping printers over VPN but not computers.
0
 
Rob WilliamsCommented:
Printers are not affected by Windows firewall.  I am referring to the remote PC's one is trying to ping.
0
 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
Hi Rob,

Main office network        192.168.1.0/24
Branch office network    192.168.6.0/24

Both main and branch office have the same subnet /24 in terms of CIDR value but practically in the different subnet. What's needed to be set Public ? Do you mean Network adapater connection?

Could you little elaborate your answer please?
0
 
Rob WilliamsCommented:
If you are trying to ping the branch office computers from the main office and it is failing, you may need to add 192.168.1.0/24 subnet (not subnet mask) to the branch office PCs Windows firewall exception.  However, why do you need to ping them?
0
 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
I got your point but at branch office Windows firewall is already off and I have installed Symantec antivirus software in all branch offices and main office as well.

Some times, I am needed to troubleshoot the branch office computers, So, i wanted to check the computer connection by pinging before giving them call. Although, I am able to take remote of the branch office computer without any issue.
0
 
Rob WilliamsCommented:
If you can RDP to a PC then it is not a VPN issue but a firewall issue, whether Windows or Symantec.
1
 
Mitul PrajapatiJunior IT EngineerAuthor Commented:
Ok.  I will try try to change the firewall settings and check for the ping.
0
 
Tom CieslikIT EngineerCommented:
Mitul, can you please go back and let us know if your issue was resolved and if yes, please close this question and if some advises was useful for you please award points
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

  • 9
  • 8
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now