genusys
asked on
Sonicwall NetExtender Not Allowing Connection To Drive Global VPN Client is
I have a tz400. The Global VPN Client Allows me to map a network drive once connected. NetExtender won't connect to Mapped drive. It just sits and tries to connect.
ASKER
I can not Ping the server using NetExtender. It has X0 Subnets and I can't add Lan Subnets in the Client Routes because they overlap.
I get a correct ip address. IT's a 10.14.0.xxx and i see that.
I get a correct ip address. IT's a 10.14.0.xxx and i see that.
Yes they will obviously overlap so you need to replace X0 Subnets with LAN Subnets. So first remove X0 Subnets save then add LAN Subnets.
ASKER
I changed X0 toLan Subnets. No difference. When i do an IP config /All the virtual NIC has no Default Gateway nor does it show the DNS server.
If I connect with the Global VPN Client it shows Gateway and DNS server. The global VPN client gets all config info asif connecting at the office. NetExtender does not. I did notice that the route in the NetExtender window is 10.14.0.0 the dns server is 10.14.0.10.
it seems that NetExtender is giving an IP address but nothing else
If I connect with the Global VPN Client it shows Gateway and DNS server. The global VPN client gets all config info asif connecting at the office. NetExtender does not. I did notice that the route in the NetExtender window is 10.14.0.0 the dns server is 10.14.0.10.
it seems that NetExtender is giving an IP address but nothing else
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I made the changes as you suggested:
1. Client Routes: Tunnel All: was set to Disabled Turned To Enable
2. Client Settings: DNS: Set to Default DNS Comcast 75.75.75.75 & 75.75.76.76
3. Local User Groups -> SSLVPN Services VPN TAB: Removed LAN Subnets Added WAN RemoteAccessNetworks
If there is other info needed i can provide.
Still no ping of server.
access-rules.PNG
Client-seting.PNG
NAT-PoliciesPNG.PNG
SSLVPNZone.PNG
1. Client Routes: Tunnel All: was set to Disabled Turned To Enable
2. Client Settings: DNS: Set to Default DNS Comcast 75.75.75.75 & 75.75.76.76
3. Local User Groups -> SSLVPN Services VPN TAB: Removed LAN Subnets Added WAN RemoteAccessNetworks
If there is other info needed i can provide.
Still no ping of server.
access-rules.PNG
Client-seting.PNG
NAT-PoliciesPNG.PNG
SSLVPNZone.PNG
You are testing this outside of your network right? You can't be connected to the LAN, WLAN or any other Zone and test this cause it won't work otherwise.
If you ipconfig /all now you should see a Gateway and DNS in NetExtender driver & UI. Please confirm.
Let's verify connectivity.
If you ipconfig /all now you should see a Gateway and DNS in NetExtender driver & UI. Please confirm.
Let's verify connectivity.
- Ping 8.8.8.8
- Test browsing the Internet.
- Ping other resources in the remote network.
- Verify Ping is enabled on the server. Go to Windows Firewall and make sure Ping is allowed (there are multiple rules that should allow it).
ASKER
I am remote and not on any Remote network Zone.
I see DNS but, no Gateway.
1. I can ping: 8.8.8.8 and Google.com (Assume that is from my local nic connection.)
2. I can browse internet. (Assume that is from my local nic connection.)
3. I can not ping either the Sonicwall or the Server connected via netExtender.
4. I can Ping Firewall and Server Connected w/GlobalVPN Client
I think this might be helpful:
When connected via Global VPN Client i can ping internal (Remote Network Devices) but no internet sites or ip.
When connected to the NetExtender I can ping internet sites and ip's but not Internal ip
I see DNS but, no Gateway.
1. I can ping: 8.8.8.8 and Google.com (Assume that is from my local nic connection.)
2. I can browse internet. (Assume that is from my local nic connection.)
3. I can not ping either the Sonicwall or the Server connected via netExtender.
4. I can Ping Firewall and Server Connected w/GlobalVPN Client
I think this might be helpful:
When connected via Global VPN Client i can ping internal (Remote Network Devices) but no internet sites or ip.
When connected to the NetExtender I can ping internet sites and ip's but not Internal ip
So what I had you setup on the SSL-VPN was Tunnel-All Mode, which means when you are connected to the VPN all traffic is now routed through that associated firewall and uses its associated bandwidth. This is more secure than using a Split Tunnel Mode because there is no security boundary mechanism on your machine so it would otherwise share both insecure and encrypted connections allowing for compromise especially when using an untrusted connection such as a airport, coffee shop, mall, hotel or public WiFi, etc.
So this means that when you read those ping tests it was sourcing from the remote site's resources and not your from your local internet connection. That test proves traffic is flowing from the remote side and you are able to browse websites and connect to the Internet through its connection.
Not being able to ping the SSL-VPN could just be that Ping is not enabled for that Zone (verify that). As a security Best Practice Ping sound be disabled on all zones unless the source is restricted.
Not being able to Ping remote resources could still be a local server firewall issue since the IP Pool is different from the GVC's IP pool and as such the Source IP address may be blocked for the SSL-VPN in Windows Firewall. Try disabling Windows firewall temporarily and then see if you can ping it. Also, can you RDP into the server?
It also sounds like your GVC is not setup correctly either and there maybe a routing issue. Is it in Tunnel-All Mode or Split Mode?
So this means that when you read those ping tests it was sourcing from the remote site's resources and not your from your local internet connection. That test proves traffic is flowing from the remote side and you are able to browse websites and connect to the Internet through its connection.
Not being able to ping the SSL-VPN could just be that Ping is not enabled for that Zone (verify that). As a security Best Practice Ping sound be disabled on all zones unless the source is restricted.
Not being able to Ping remote resources could still be a local server firewall issue since the IP Pool is different from the GVC's IP pool and as such the Source IP address may be blocked for the SSL-VPN in Windows Firewall. Try disabling Windows firewall temporarily and then see if you can ping it. Also, can you RDP into the server?
It also sounds like your GVC is not setup correctly either and there maybe a routing issue. Is it in Tunnel-All Mode or Split Mode?
ASKER
I didn't set this SW up.
I tried all suggestions. Nothing changed. Is there a way to reset everything VPN related without resetting the entire firewall?
I tried all suggestions. Nothing changed. Is there a way to reset everything VPN related without resetting the entire firewall?
ASKER
A Sonicwall Engineer finally found the issue.
I really appreciate all the help i got!
I really appreciate all the help i got!
ASKER
Thanks for all the help. I put the resolution in a comment. I never would have found it.
Glad I could help; thanks for the points!
What was the fix?
You can use the Connection Scripts, which provides you the ability to run batch file scripts when NetExtender connects and/or disconnects. The scripts can be used to map or disconnect network drives and printers, launch applications, or open files or Web sites. NetExtender Connection Scripts can support any valid batch file commands.
Can you ping those servers where the network drive resides? Make sure you have added the LAN Subnet to the VPN routes.
Let me know if you have any other questions!