This article lists various troubleshooting steps you can employ If a remote user is unable to access any of the computers behind the SonicWall after establishing a connection via the Global VPN Client (GVC) and the SonicWall virtual adapter has obtained an IP address.
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:
DHCP Lease for GVC Client
The GVC client should be assigned with a valid IP address to be able to communicate to the internal resources. Ensure that the Virtual Adapter is set to DHCP Lease/DHCP Lease or Manual Configuration. Along with which the DHCP over VPN should also be configured as mentioned below so that the client is assigned with an IP address.
Configure the DHCP over VPN
VPN Access List
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.
Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.
Client PC Network:
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.
NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's IPSec VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.
Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.
Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.
EXAMPLE: X0 and X2 are both connected to same switch without VLAN.
Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.
Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.
Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:
DHCP Lease for GVC Client
The GVC client should be assigned with a valid IP address to be able to communicate to the internal resources. Ensure that the Virtual Adapter is set to DHCP Lease/DHCP Lease or Manual Configuration. Along with which the DHCP over VPN should also be configured as mentioned below so that the client is assigned with an IP address.
Configure the DHCP over VPN
VPN Access List
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.
Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.
Client PC Network:
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.
NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.
Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.
Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.
EXAMPLE: X0 and X2 are both connected to same switch without VLAN.
Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.
Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.
Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:
VPN Access List:
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, LAN Primary Subnet, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by mousing over the VPN Access column for the user in question in the SonicWall's Users - Local Users screen. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.
VPN Terminated at
If you are using SonicOS Standard, the GroupVPN Policy allows termination on different physical interfaces of the firewall (LAN, WLAN, OPT). Make sure that your configuration allows you access to the area you are trying to go. By Default, this termination is set to LAN only.
Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.
Client PC Network
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.
NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.
Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP Address of a different interface.
Intermittent pings:
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.
EXAMPLE:X0 and X2 are both connected to same switch without VLAN.
Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.
Global VPN Client software version: Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.
Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.