Unable to access hosts behind SonicWall firewall when connected through GVC

10/27/2022 477 People found this article helpful 502,842 Views

Description

This article lists various troubleshooting steps you can employ If a remote user is unable to access any of the computers behind the SonicWall after establishing a connection via the Global VPN Client (GVC) and the SonicWall virtual adapter has obtained an IP address.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

DHCP Lease for GVC Client
VPN Access List
Default Gateway
Client PC Network
NAT Traversal
Overlapping network
Intermittent pings
Multiple NICs on the computer behind the SonicWall.
Global VPN Client software version

DHCP Lease for GVC Client

The GVC client should be assigned with a valid IP address to be able to communicate to the internal resources. Ensure that the Virtual Adapter is set to DHCP Lease/DHCP Lease or Manual Configuration. Along with which the DHCP over VPN should also be configured as mentioned below so that the client is assigned with an IP address.

Login to the SonicWall management interface
Navigate to Network|IPSec VPN|Rules and Settings.
Edit the WAN GroupVPN Policy.
Under the Client Tab, make sure the Virtual Adapter Settings is set to DHCP Lease/DHCP Lease or Manual Configuration.

Configure the DHCP over VPN

Navigate to Network|IPSec VPN|DHCP over VPN.
The Gateway should be set to Central.
Click on Configure button.
Select the appropriate option depending on the environment.
Use internal DHCP server: Enables the SonicWall to be the DHCP server for either the Global VPN Client connections to this SonicWall or for Remote firewall connections via VPN. For this example we would only be concerned with Global VPN Client (GVC).
Send DHCP requests to the server addresses listed below: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

NOTE: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

Relay IP Address (Optional): If set, this is used as the DHCP Relay Agent IP address in place of this SonicWall's LAN IP address. This address is only used when no Relay IP Address has been set on the Remote Gateway, and must be reserved in the DHCP scope on the DHCP server.

VPN Access List
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

Login to SonicWall management interface.
Click Device in the top navigation menu.
Navigate to Users | Local Users & Groups and edit either the Local user or Local Group, to see the VPN Access tab.

Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network:
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's IPSec VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.

Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
There are interface configured in a loop.
EXAMPLE: X0 and X2 are both connected to same switch without VLAN.
The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

DHCP Lease for GVC Client
VPN Access List
Default Gateway
Client PC Network
NAT Traversal
Overlapping network
Intermittent pings
Multiple NICs on the computer behind the SonicWall.
Global VPN Client software version

DHCP Lease for GVC Client

The GVC client should be assigned with a valid IP address to be able to communicate to the internal resources. Ensure that the Virtual Adapter is set to DHCP Lease/DHCP Lease or Manual Configuration. Along with which the DHCP over VPN should also be configured as mentioned below so that the client is assigned with an IP address.

Login to the SonicWall management interface
Navigate to Manage|VPN|Base setting.
Edit the WAN GroupVPN Policy.
Under the Client Tab, make sure the Virtual Adapter Settings is set to DHCP Lease/DHCP Lease or Manual Configuration.

Configure the DHCP over VPN

Navigate to Manage|VPN|DHCP over VPN.
The Gateway should be set to Central.
Click on Configure button.
Select the appropriate option depending on the environment.
Use internal DHCP server: Enables the SonicWall to be the DHCP server for either the Global VPN Client connections to this SonicWall or for Remote firewall connections via VPN. For this example we would only be concerned with Global VPN Client (GVC).
Send DHCP requests to the server addresses listed below: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

NOTE: Enables the SonicWall to forward DHCP requests to the server indicated below in the IP Address Field.

Relay IP Address (Optional): If set, this is used as the DHCP Relay Agent IP address in place of this SonicWall's LAN IP address. This address is only used when no Relay IP Address has been set on the Remote Gateway, and must be reserved in the DHCP scope on the DHCP server.

VPN Access List
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by hovering over the VPN Access column for the user in question in the SonicWall's Users | Local Users & Groups page. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

Login to SonicWall management interface.
Click Manage in the top navigation menu.
Navigate to Users | Local Users & Groups and edit either the Local user or Local Group, to see the VPN Access tab.

Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network:
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.

Intermittent pings
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
There are interface configured in a loop.
EXAMPLE: X0 and X2 are both connected to same switch without VLAN.
The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version
Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Before starting to troubleshoot make sure the Global VPN Client connection shows a status of Connected and try pinging the IP addresses of computers behind the firewall or the SonicWall LAN IP address (X0 IP). If the pings do not get a reply try the following:

VPN Access List
VPN Terminated at
Default Gateway
Client PC Network
NAT Traversal
Overlapping network
Intermittent pings
Multiple NICs on the computer behind the SonicWall.
Global VPN Client software version

VPN Access List:
If using SonicOS Enhanced firmware the first place to check would be VPN Access permissions of users. Ensure that one of the following Network Address Objects is defined in the users' VPN access permissions: LAN subnets, LAN Primary Subnet, X0 Subnet, or Firewalled Subnets or, at the least, the address object of the IP address of the computer you are pinging. You can check this by mousing over the VPN Access column for the user in question in the SonicWall's Users - Local Users screen. Access permissions can be assigned and/or inherited via User Group Memberships. All Local users are, by default, members of the Trusted Users and Everyone groups.

In the SonicWall Management interface, navigate to Users | Local Users or Users | Local Groups and edit either the user or the group, to see the VPN Access tab.

VPN Terminated at
If you are using SonicOS Standard, the GroupVPN Policy allows termination on different physical interfaces of the firewall (LAN, WLAN, OPT). Make sure that your configuration allows you access to the area you are trying to go. By Default, this termination is set to LAN only.

In the SonicWall Management interface go to the VPN | Settings page and edit the GroupVPN policy to see the VPN Access tab.

Default Gateway
One of the most common reasons for not being able to access computers on the LAN/DMZ is when the default gateways on the PCs behind the firewall are not set to the SonicWall LAN/DMZ IP address.

Client PC Network
Routing issues in the internal network may also be causing the problem. Check whether local PCs are able to ping to each other. Check whether there are any detrimental static routes in the host you are pinging.

NAT Traversal
A variety of issues related to the client PC; the network environment of the client; the ISP connecting either side; or firewall software on the client, can cause problems with connectivity. You can, in some cases, work around network environments by making sure that the SonicWall's VPN | Advanced screen has the NAT-Traversal checkbox enabled. This allows the firewall and the Global VPN client to use encapsulation; the VPN traffic on the ESP protocol (nicknamed IPSec, IP protocol #50) is wrapped inside a UDP port 500 or port 4500 packet. Sometimes a home firewall on the client side needs to have a configuration changed allowing IPSec pass through or IKE pass through.

Overlapping network
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual ip address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP Address of a different interface.

Intermittent pings:
At times the ping test return one reply followed by request timed-out. This could be caused by following reasons.

The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
There are interface configured in a loop.
EXAMPLE:X0 and X2 are both connected to same switch without VLAN.
The virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.

Multiple NICs on the computer behind the SonicWall
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.

Global VPN Client software version: Finally, check the GVC version you are using. If you are running Windows 2000 Professional, any variant of Windows XP or Windows Vista, install the latest release of Global VPN Client. If you are running something older, and wish to upgrade, make sure that the older version is uninstalled completely.

Please refer KB Installing or uninstalling Global VPN Client (GVC) and click here to get the GVC clean-up tool. Restart the computer and install the latest version of the GVC.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Unable to access hosts behind SonicWall firewall when connected through GVC

Description

Resolution

Resolution for SonicOS 7.X

Resolution for SonicOS 6.5

Resolution for SonicOS 6.2 and Below

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch