Mitul Prajapati
asked on
VPN, Ping Problem
Hi All,
My company Scenario:
I have connected the branch office to main office using VPN.
Main office is running under domain environment and using a Watch guard as a firewall.
Branch office is running in a work group environment and using a Billion VPN Wi Fi router.
VPN has been set up between Watchguard Firewall (XTM26) and Billion Wifi Router (Bi Pac 8920nz)
VPN is working fine. I am able to take remote of all the computers located in to the branch office using "Microsoft Remote Desktop" from the main office.
Problem:
I am not able to ping any of the branch office computers. I can ping branch office wifi router and network printer only. What could be the reason?
My company Scenario:
I have connected the branch office to main office using VPN.
Main office is running under domain environment and using a Watch guard as a firewall.
Branch office is running in a work group environment and using a Billion VPN Wi Fi router.
VPN has been set up between Watchguard Firewall (XTM26) and Billion Wifi Router (Bi Pac 8920nz)
VPN is working fine. I am able to take remote of all the computers located in to the branch office using "Microsoft Remote Desktop" from the main office.
Problem:
I am not able to ping any of the branch office computers. I can ping branch office wifi router and network printer only. What could be the reason?
ASKER
Hi Tom,
Thank you for getting back to my question soon.
I already have checked for file and printer sharing service on all the computers in branch office. They all can PING each other without any issue.
Thank you for getting back to my question soon.
I already have checked for file and printer sharing service on all the computers in branch office. They all can PING each other without any issue.
Hm,,, you said you can ping printers inside this network, is they are connected to same subnet/switch as computers ?
Can you try PING your computer from remote computer by IP ? (You need to check what IP you have after VPN connection)
Can you try PING your computer from remote computer by IP ? (You need to check what IP you have after VPN connection)
ASKER
All are in same the subnet (192.168.6.0/24)... I can ping selected computer in to the main office from the branch office as we have set ping restriction to certain computers
.
For example:
From Branch office computer, I can ping 5-6 computers of main office (Which are allowed to ping from external network)
.
For example:
From Branch office computer, I can ping 5-6 computers of main office (Which are allowed to ping from external network)
Strange, can you try tracert from your computer connected to VPN to computer you're connecting via RDP ? Is it reaching destination ?
ASKER
From Main Office (Subnet : 192.168.1.0/24)
I can reach to Wifi Router and Printer Only by using tracert command
C:\Windows\System32>tracert 192.168.6.254 (Wifi Router)
Tracing route to 192.168.6.254 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.1.1
2 413 ms 382 ms 402 ms 192.168.6.254
C:\Windows\System32>tracert 192.168.6.150 (Printer)
Tracing route to BRN3C2AF42DE44F [192.168.6.150]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.1.1
2 * * * Request timed out.
3 462 ms 448 ms 456 ms BRN3C2AF42DE44F [192.168.6.150]
C:\Windows\System32>tracert 192.168.6.2 (Computer not reachable, but can take a remote)
Tracing route to 192.168.6.2 over a maximum of 30 hops
1 1 ms 1 ms <1 ms 192.168.1.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
Same thing happen from the branch office.
Can ping and take certain computers which are allowed by Watchguard firewall.
I can reach to Wifi Router and Printer Only by using tracert command
C:\Windows\System32>tracert 192.168.6.254 (Wifi Router)
Tracing route to 192.168.6.254 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.1.1
2 413 ms 382 ms 402 ms 192.168.6.254
C:\Windows\System32>tracert 192.168.6.150 (Printer)
Tracing route to BRN3C2AF42DE44F [192.168.6.150]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.1.1
2 * * * Request timed out.
3 462 ms 448 ms 456 ms BRN3C2AF42DE44F [192.168.6.150]
C:\Windows\System32>tracert 192.168.6.2 (Computer not reachable, but can take a remote)
Tracing route to 192.168.6.2 over a maximum of 30 hops
1 1 ms 1 ms <1 ms 192.168.1.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
Same thing happen from the branch office.
Can ping and take certain computers which are allowed by Watchguard firewall.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Can you shut down firewall on 192.168.6.2 computer and try PING it.
I still think this is a local computer restriction
I still think this is a local computer restriction
ASKER
All the computers in branch office are PINGING each other without any issue and I have tried the same thing but has no luck.
For Example:
Ping 192.168.6.1 --> 192.168.6.2 is successful.
Ping 192.168.6.2 --> 192.168.6.1 is successful.
Ping 192.168.6.1 --> 192.168.1.4 is successful. (Main office computer)
Ping 192.168.6.2 --> 192.168.1.5 is successful. (Main office computer)
Ping 192.168.6.2 --> 192.168.1.88 is not successful. (Main office computer, restriction in watch guard firewall)
As you said, I need to check the firewall ICMP settings.. Do you advise to check watch guard of Billion router firewall?
For Example:
Ping 192.168.6.1 --> 192.168.6.2 is successful.
Ping 192.168.6.2 --> 192.168.6.1 is successful.
Ping 192.168.6.1 --> 192.168.1.4 is successful. (Main office computer)
Ping 192.168.6.2 --> 192.168.1.5 is successful. (Main office computer)
Ping 192.168.6.2 --> 192.168.1.88 is not successful. (Main office computer, restriction in watch guard firewall)
As you said, I need to check the firewall ICMP settings.. Do you advise to check watch guard of Billion router firewall?
Definitely. Problem must be on other site
ASKER
I am going to re-check firewall ICMP settings. Will posted back if i will find something.
Salute to you Tom. Really appreciated your response.
If you still wanted to give me an advise, then you are most welcome. I will look in that direction for sure.
Salute to you Tom. Really appreciated your response.
If you still wanted to give me an advise, then you are most welcome. I will look in that direction for sure.
Check Incoming filter setup page, I thing this is a place where you can define ICMP protocol to go through
Page 160
http://au.billion.com/downloads/usermanual/wireless/8920-User_Manual.pdf
Page 160
http://au.billion.com/downloads/usermanual/wireless/8920-User_Manual.pdf
Are the computers in the branch office connected via a seperate domain than the main office? It could be that your PC firewall policies allow for icmp between trusted devices on the domain, but not from untrusted devices "Public" that do not originate on their network. Can you do a packet capture and watch for the icmp traffic at the branch office firewall? and then again at the PC you are trying to ping. This will tell you if the packet is reaching the destination. you may have to temporarily disable the firewall on the PC in the branch office you are attempting to ping from the main office. Let us know what you see.
Can you ping the computers in the main office from the branch office computers?
Watchguard also have an IP block list, doubt this is the issue though.
Why dont you use an any rule to trouble shoot.
Allow all traffic between both sites on all ports temporarily to see if this resolves the issue, then work it from here.
Watchguard also have an IP block list, doubt this is the issue though.
Why dont you use an any rule to trouble shoot.
Allow all traffic between both sites on all ports temporarily to see if this resolves the issue, then work it from here.
Default Windows firewall rules allow for pings from local subnet, but no others. You will need to add remote subnets or set to "public" (i.e. all)
Rob, he said he can ping printers over VPN but not computers.
Printers are not affected by Windows firewall. I am referring to the remote PC's one is trying to ping.
ASKER
Hi Rob,
Main office network 192.168.1.0/24
Branch office network 192.168.6.0/24
Both main and branch office have the same subnet /24 in terms of CIDR value but practically in the different subnet. What's needed to be set Public ? Do you mean Network adapater connection?
Could you little elaborate your answer please?
Main office network 192.168.1.0/24
Branch office network 192.168.6.0/24
Both main and branch office have the same subnet /24 in terms of CIDR value but practically in the different subnet. What's needed to be set Public ? Do you mean Network adapater connection?
Could you little elaborate your answer please?
If you are trying to ping the branch office computers from the main office and it is failing, you may need to add 192.168.1.0/24 subnet (not subnet mask) to the branch office PCs Windows firewall exception. However, why do you need to ping them?
ASKER
I got your point but at branch office Windows firewall is already off and I have installed Symantec antivirus software in all branch offices and main office as well.
Some times, I am needed to troubleshoot the branch office computers, So, i wanted to check the computer connection by pinging before giving them call. Although, I am able to take remote of the branch office computer without any issue.
Some times, I am needed to troubleshoot the branch office computers, So, i wanted to check the computer connection by pinging before giving them call. Although, I am able to take remote of the branch office computer without any issue.
If you can RDP to a PC then it is not a VPN issue but a firewall issue, whether Windows or Symantec.
ASKER
Ok. I will try try to change the firewall settings and check for the ping.
Mitul, can you please go back and let us know if your issue was resolved and if yes, please close this question and if some advises was useful for you please award points
If you can remote to computers make sure that File and Printer sharing service is ON on remote workstation and there is not rule in GPO for firewall settings that blocking PING.
For test only you can turn OFF firewall on one of remote computer and check if PING will work.