SSL VPN client is connected and authenticated but can't access internal LAN resources

NetExtender / Mobile Connect client is connecting, it receives correct IP however it can't access internal resources (LAN).

The user/group may not have access to LAN subnets or to the resource you're looking for

OR

The SSLVPN IP Pool is in the same subnet as X0. 

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

• Group Membership Check and VPN Access Check
  
  
  1. Login to your SonicWall management page and click Device tab on top of the page.
  2. Navigate to Users | Local Users & Groups page, click Local Groups tab.
  3. Click Members tab and make sure SSLVPN Services group is added under Member Users and Groups.
     
     
     
  4. If it is not part of that group, add SSLVPN Services group under Member Users and Groups as below.
     
     
     
  5. Click VPN Access tab and make sure LAN Subnets is added under Access list.
     
     
     
     
  6. Check if the packets sent to or from the SSLVPN client are dropped as IP Spoof check failed module network. See following KB on  how to configure and utilize the Packet Monitor feature for troubleshooting.
     
     
     

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

• Group Membership check
  1. Login to your SonicWall management page and click Manage tab on top of the page.
  2. Navigate to Users | Local Users & Groups page, click Local Groups tab.
  3. Configure relevant user group to get Edit Group window.
  4. Click Members tab and make sure SSLVPN Services group is added under Member Users and Groups.
     
     
     
     
  5. If it is not part of that group, add SSLVPN Services group under Member Users and Groups as below.
     

• Group VPN Access check
  1. Login to your SonicWall management page and click Manage tab on top of the page.
  2. Navigate to Users | Local Users & Groups page, click Local Groups tab.
  3. Configure SSLVPN Services Group to get Edit Group window.
  4. Click VPN Access tab and make sure LAN Subnets is added under Access list.
     

• If it is not part of that group, add LAN Subnets under Access list as below.
  

• Check if the packets sent to or from the SSLVPN client are dropped as IP Spoof check failed module network
  See following KB on  how to configure and utilize the Packet Monitor feature for troubleshooting

TIP: On Gen6 devices the SSLVPN IP Pool used cannot overlap with any of the subnets used on the SonicWall.

How to Test:

Reconnect to SSL VPN using Net Extender.
Open a command line and try ping any device in LAN from a PC connected via NetExtender - you should receive a response.

If this does not fix your issue please reach out to our support team for additional assistance and let them know you used NetExtender 8.6.265 and the issue persists

1. Online: Visit mysonicwall.com. Once logged in select Resources & Support | Support | Create Case. 

2. By phone: please use our toll-free number at 1-888-793-2830. Please have your SonicWall serial number available to create a new support case.

If you do not have a mysonicwall.com account create one for free!