Unable to access hosts behind SonicWall firewall when connected through GVC

08/11/2020 242 32981

DESCRIPTION:

This article lists various troubleshooting steps you can employ If a remote user is unable to access any of the computers behind the SonicWall after establishing a connection via the Global VPN Client (GVC) and the SonicWall virtual adapter has obtained an IP address.

RESOLUTION:

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

• VPN Access List
• Default Gateway
• Client PC Network
• NAT Traversal
• Overlapping network
• Intermittent pings
• Multiple NICs on the computer behind the SonicWall.
• Global VPN Client software version

VPN Access List
 If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

• Login to SonicWall management interface.
• Click Device in the top navigation menu.
• Navigate to Users | Local Users & Groups and edit either the Local user or Local Group, to see the VPN Access tab.
  

Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network:
 Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's IPSec VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.

Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

• The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
• There are interface configured in a loop. 
  

   EXAMPLE:  X0 and X2 are both connected to same switch without VLAN.

• The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
 If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

• VPN Access List
• Default Gateway
• Client PC Network
• NAT Traversal
• Overlapping network
• Intermittent pings
• Multiple NICs on the computer behind the SonicWall.
• Global VPN Client software version

VPN Access List
 If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

• Login to SonicWall management interface.
• Click Manage in the top navigation menu.
• Navigate to Users | Local Users & Groups and edit either the Local user or Local Group, to see the VPN Access tab.
  

Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network:
 Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.

Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

• The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
• There are interface configured in a loop.
  

  EXAMPLE:  X0 and X2 are both connected to same switch without VLAN.

• The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
 If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

• VPN Access List
• VPN Terminated at
• Default Gateway
• Client PC Network
• NAT Traversal
• Overlapping network
• Intermittent pings
• Multiple NICs on the computer behind the SonicWall.
• Global VPN Client software version

VPN Access List:
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, LAN Primary Subnet, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by mousing over the VPN Access column for the user in question in the SonicWall's Users - Local Users screen. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

• In the SonicWall Management interface, navigate to Users | Local Users or Users | Local Groups and edit either the user or the group, to see the VPN Access tab.
  

VPN Terminated at
If you are using SonicOS Standard, the GroupVPN Policy allows termination on different physical interfaces of the firewall (LAN, WLAN, OPT). Make sure that your configuration allows you access to the area you are trying to go. By Default, this termination is set to LAN only.

• In the SonicWall Management interface go to the VPN | Settings page and edit the GroupVPN policy to see the VPN Access tab.

Default Gateway
 One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Overlapping network
 Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP Address of a different interface.

Intermittent pings:
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

• The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
• There are interface configured in a loop.
  

  EXAMPLE:X0 and X2 are both connected to same switch without VLAN.

• The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version: Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.