Unable to access hosts behind SonicWall firewall when connected through GVC

Description

This article lists various troubleshooting steps you can employ If a remote user is unable to access any of the computers behind the SonicWall after establishing a connection via the Global VPN Client (GVC) and the SonicWall virtual adapter has obtained an IP address.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

  • DHCP Lease for GVC Client
  • VPN Access List
  • Default Gateway
  • Client PC Network
  • NAT Traversal
  • Overlapping network
  • Intermittent pings
  • Multiple NICs on the computer behind the SonicWall.
  • Global VPN Client software version

DHCP Lease for GVC Client

The GVC client should be assigned with a valid IP address to be able to communicate to the internal resources. Ensure that the Virtual Adapter is set to DHCP Lease/DHCP Lease or Manual Configuration. Along with which the DHCP over VPN should also be configured as mentioned below so that the client is assigned with an IP address.

  • Login to the SonicWall management interface 
  • Navigate to Network|IPSec VPN|Rules and Settings.
  • Edit the WAN GroupVPN Policy.
  • Under the Client Tab, make sure the Virtual Adapter Settings is set to DHCP Lease/DHCP Lease or Manual Configuration.


Image
Configure the DHCP over VPN 

  • Navigate to Network|IPSec VPN|DHCP over VPN.
  • The Gateway should be set to Central.
  • Click on Configure button.
  • Select the appropriate option depending on the environment.
    Use internal DHCP server: Enables the SonicWall to be the DHCP server for either the Global VPN Client connections to this SonicWall or for Remote firewall connections via VPN.  For this example we would only be concerned with Global VPN Client (GVC).
    Send DHCP requests to the server addresses listed below: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

    NOTE: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

    Relay IP Address (Optional): If set, this is used as the DHCP Relay Agent IP address in place of this SonicWall's LAN IP address. This address is only used when no Relay IP Address has been set on the Remote Gateway, and must be reserved in the DHCP scope on the DHCP server.

    Image



VPN Access List
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnetsX0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

  • Login to SonicWall management interface.
  • Click Device in the top navigation menu.
  • Navigate to Users | Local Users & Groups and edit either the Local user or Local Group, to see the VPN Access tab.
    Image


Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network:
 Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's IPSec VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Image

Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.

Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

  • The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
  • There are interface configured in a loop. 

     EXAMPLE:  X0 and X2 are both connected to same switch without VLAN.

  • The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
 If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

  • DHCP Lease for GVC Client
  • VPN Access List
  • Default Gateway
  • Client PC Network
  • NAT Traversal
  • Overlapping network
  • Intermittent pings
  • Multiple NICs on the computer behind the SonicWall.
  • Global VPN Client software version

DHCP Lease for GVC Client

The GVC client should be assigned with a valid IP address to be able to communicate to the internal resourcesEnsure that the Virtual Adapter is set to DHCP Lease/DHCP Lease or Manual Configuration. Along with which the DHCP over VPN should also be configured as mentioned below so that the client is assigned with an IP address.

  • Login to the SonicWall management interface 
  • Navigate to Manage|VPN|Base setting.
  • Edit the WAN GroupVPN Policy.
  • Under the Client Tab, make sure the Virtual Adapter Settings is set to DHCP Lease/DHCP Lease or Manual Configuration.

    Image



Configure the DHCP over VPN 

  • Navigate to Manage|VPN|DHCP over VPN.
  • The Gateway should be set to Central.
  • Click on Configure button.
  • Select the appropriate option depending on the environment.
    Use internal DHCP server: Enables the SonicWall to be the DHCP server for either the Global VPN Client connections to this SonicWall or for Remote firewall connections via VPN.  For this example we would only be concerned with Global VPN Client (GVC).
    Send DHCP requests to the server addresses listed below: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

     NOTE: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

    Relay IP Address (Optional): If set, this is used as the DHCP Relay Agent IP address in place of this SonicWall's LAN IP address. This address is only used when no Relay IP Address has been set on the Remote Gateway, and must be reserved in the DHCP scope on the DHCP server.


VPN Access List
 If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnetsX0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

  • Login to SonicWall management interface.
  • Click Manage in the top navigation menu.
  • Navigate to Users | Local Users & Groups and edit either the Local user or Local Group, to see the VPN Access tab.
    Image


Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network:
 Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Image

Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.

Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

  • The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
  • There are interface configured in a loop.

    EXAMPLE:  X0 and X2 are both connected to same switch without VLAN.

  • The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
 If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.


Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

  • VPN Access List
  • VPN Terminated at
  • Default Gateway
  • Client PC Network
  • NAT Traversal
  • Overlapping network
  • Intermittent pings
  • Multiple NICs on the computer behind the SonicWall.
  • Global VPN Client software version


VPN Access List:
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, LAN Primary Subnet, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by mousing over the VPN Access column for the user in question in the SonicWall's Users - Local Users screen. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

  • In the SonicWall Management interface, navigate to Users | Local Users or Users | Local Groups and edit either the user or the group, to see the VPN Access tab.
    Image


VPN Terminated at
If you are using SonicOS Standard, the GroupVPN Policy allows termination on different physical interfaces of the firewall (LAN, WLAN, OPT). Make sure that your configuration allows you access to the area you are trying to go. By Default, this termination is set to LAN only.

  • In the SonicWall Management interface go to the VPN | Settings page and edit the GroupVPN policy to see the VPN Access tab.


Default Gateway
 One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Image


Overlapping network
 Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP Address of a different interface.

Intermittent pings:
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

  • The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
  • There are interface configured in a loop.

    EXAMPLE:X0 and X2 are both connected to same switch without VLAN.

  • The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version: Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.

Related Articles

  • Using 31-Bit Prefixes on IPv4 Address Error: Index of the interface: Invalid IP Address
    Read More
  • How to block a website using CFS 4.0 CLI commands
    Read More
  • How to Configure Wire / Tap mode in SonicOS
    Read More

Categories

Firewalls
NSv Series
GVC/L2TP
Firewalls
NSa Series
GVC/L2TP
Firewalls
TZ Series
GVC/L2TP
not finding your answers?
Ask the Community
was this article helpful?
YesNo