Site to Site VPN is up between two SonicWall appliances but can only ping the LAN Interface IP

12/20/2019 50 19651

DESCRIPTION:

A Site to Site VPN is running between two SonicWall firewall (UTM) appliances with a valid configuration. From the Main Site, a user can ping any thing behind the Remote Site, but, from the Remote Site, a user can ping only the LAN Interface IP address of the SonicWall at the Main Site. The user always observes a Request Timed Out or IP Address Not Responding condition when trying to ping any machine located behind the SonicWall appliance at the Main Site.

RESOLUTION:

1. Ensure that we have properly assigned the address object with Zone Assignment as : VPN for the objects representing the LAN Network of the Main Site in the Destination Network of the SA policy created on the Remote Site.
2. Check the Log entries on the Main Site for any indicating that the ping request from the remote site was blocked by the IPS Category named ICMP. In this case, everything works (RDP, Accessing any Specific Application, etc.) except Ping to the subnet which resides behind the main site. The log entry may look like the following.

If this log entry exists, follow this step

1. Disable the particular Signature (Security Services | Intrusion Prevention page) indicated in the log entry or add the indicated IP address to the Exclusion list for the IPS Category named ICMP.
2. Ensure you have not created any Static Route Policy on the Remote Site with the destination network defined as the subnet behind the Main Site and the Gateway selected as the LAN Interface IP or the default gateway. It is not necessary to create any static route policy on the SonicWall when we configure VPN between two devices, as the firewall Access rule and the Route Policy is automatically established.
3. Make sure no firewall Access Rule(s) exist denying the traffic flowing towards the Main Site with a higher priority than the automatically created access rule for VPN Site to Site traffic.