Routing Issues

I am posting this in the Sonicwall forum because all of my routers are Sonicwall, but I don't know if it is specific to Sonicwall.

I have three sites, A, B, and C.  Site A is our main site.  At site A we have a router that was placed there by the state for our connectivity to some of their services (we are a non profit with many state contracts).  So far so good.  All three sites are connected via VPN using tunnel mode.  Site A connects to both B and C and then B and C connect to each other a well for redundancy.

Everyone at Site A can connect to the state web apps.  Everyone at site B can connect to the state web apps, but no one at site C can connect.  I have created address objects (on each router) for the state web apps and an address object group for all of them together.  I created a route at Site A to send all traffic for that address group to go to the state router (which has as its LAN address, an IP on our network).

At Site B, there is a route that says all traffic for the state services goes to the VPN tunnel to site A.  This works perfectly.  At site C the same route is set, but again, no one at site C can access the state web apps.

Using the packet monitor at Site A, I was able to see the traffic from site C.  I set the monitor filter to monitor for the destination IP of the state web app and told it to show only forwarded packets.  Then from site C I tried to reach the web app.  I did see forwarded packets on the site A router.

I am at a loss as to where to look to figure this out, but my assumption is that it is a routing problem.  The people at the state say that they are not blocking any traffic that comes through their router.

I ran the packet monitor and here are some results:

This is on site A.  I set the monitor filter for source IP (the ip address at site c where I am trying to access the state web app) and destination ip is the ip address of the state web app.  As soon as I start the monitor, even before trying to reach the website, get the following in the packet monitor:

1 02/06/2018 19:50:23.656 X0*(i) -- -- -- LLC(0x27) -- -- Received 60[60]
2 02/06/2018 19:50:24.096 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 118[118]
3 02/06/2018 19:50:24.352 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 134[134]
4 02/06/2018 19:50:24.656 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 454[454]
5 02/06/2018 19:50:25.048 X0*(i) -- -- -- LLC(0x0) -- -- CONSUMED 118[118]

This all repeats.

Here is the two lines with the ip addresses:

56 02/06/2018 19:50:31.272 X1*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 CONSUMED 66[66]
57 02/06/2018 19:50:31.272 -- X0* 192.168.251.3 10.243.130.36 IP TCP 51153,443 FORWARDED 66[66]

These two lines repeat a number of times as well in 1653 lines in the packet monitor.

At the same time I had the packet monitor running at site C.  Here it was just filtering for the destination ip address since it is the only computer trying to get to this web app.  Here is the outcome from the same time stamp:

13933 02/06/2018 19:50:31.352 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 Received 66[66]
13934 02/06/2018 19:50:32.352 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 Received 66[66]
13935 02/06/2018 19:50:34.352 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51153,443 Received 62[62]
13936 02/06/2018 19:50:38.368 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51154,443 Received 66[66]
13937 02/06/2018 19:50:39.384 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51154,443 Received 66[66]
13938 02/06/2018 19:50:41.400 X0*(i) -- 192.168.251.3 10.243.130.36 IP TCP 51154,443 Received 62[62]

Any help will be greatly appreciated!
Philip GoldwasserAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi Philip,

Remove all the custom routes you created for this.

Consumed packets would be "consumed" by internal sources within the firewall. In the remote sites (Site B & C), make sure your Address Object/s for the state web app are set to the VPN Zone. Also, make sure you have added the Site A network as an Address Object. Then create an Address Group, which includes both the Site A network and the web app Address Objects (both have to be set to the VPN Zone). In the existing VPN policy to the Site A, in the Network tab, for the Remote Network, select the Address Group created above.

In Site A, create an Address Object for the web app's Public IP or Private IP address (whichever is used). This Address Object will need to be in the WAN or LAN Zone respectively.Then create a new Address Group, include the Address Object we created above and also add the existing Address Object for the Remote Office network/s. So this Address Group will consist of the remote network and the web app's ip address. In the existing VPN policy to the Remote Office, in the Network tab, for the Local Network, select the Address Group created above. Configure a NAT policy in Site A's firewall to translate traffic coming from the Remote office network to WAN IP going to the web app.

Once the above setup is done, from the Remote Office site visit the web app added in the VPN config. If running packet capture in Remote Office firewall and Site A's firewall, you will notice the traffic getting routed through Site A's firewall to the web app IP address.

Let me know how it goes!
0
Philip GoldwasserAuthor Commented:
I started to do what you suggest, but when I go to the VPN policy, there is no network tab as the VPN is setup as a tunnel interface.  This was done specifically to allow us to route through the VPN.  In your scenario is seems that I may not need to do any routing through the VPN so I can  reconfigure the VPN to be a standard site to site VPN.  Do you concurr?  The only reason we need routing over the VPN is for the state web apps.
0
Philip GoldwasserAuthor Commented:
And BTW, this has been working from site B for years, so I do not know why I cannot get it to work this way from site C.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Philip GoldwasserAuthor Commented:
Also, I am concerned about the NAT policy at site A.  I also need full connectivity between all sites for local server access.  This NAT policy would need to only allow traffic from a remote site to the state web app.
0
Blue Street TechLast KnightCommented:
I missed that this was a Tunnel Interface VPN...I'm so used to seeing S2S (Site-to-Site) VPNs I overlooked it. My apologies. So, what I provided you was strictly for a S2S VPN; since you have a Route-Based VPN aka Tunnel Interface VPN routes obviously make more sense and was also the reason the network topology configuration is removed from the VPN policy config (as you noted).
0
Philip GoldwasserAuthor Commented:
OK, but this does not explain why it works from one remote site and not the other, or how to get it to work from that other site.
0
Blue Street TechLast KnightCommented:
Again, I'd still double-check and make sure the Address Objects in Site C are set to VPN Zone.
0
Philip GoldwasserAuthor Commented:
They are all set to VPN zone.
0
Philip GoldwasserAuthor Commented:
Thanks for your help, but I was able to solve the issue.  I was able to get access to the state router and found that there was no route back to site C on that router.  It's always the simplest solutions that allude us the most!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
Sorry, I was not more attentive...my workload exceeded my free time today. I'm glad you got it sorted out! :)
0
Philip GoldwasserAuthor Commented:
I was able to solve on my own
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.