SW-TZ600: Client can connect to SSLVPN, Can VNC to LAN but not Ping or RDP

by Sam K   Last Updated March 14, 2019 20:00 PM - source

We have a TZ600 running 6.5.3.1-48n

I am able to connect to the SSL VPN. The SSL VPN IP Pool is 10.1.15.0/24, the Primary LAN is 10.1.1.0/24.

In the SonicWall NetExtender app under the Routes tab we have the correct routes:

One for the Primary LAN 10.1.1.0 255.255.255.0

One for a secondary LAN that is in its own Zone and Interface 10.1.3.0 255.255.255.0

One for the SSLVPN Pool itself 10.1.15.0 255.255.255.0

Under the ROUTE PRINT windows command I see these routes listed with the correct subnet mask and the correct Interface IP address 10.1.15.2, my IP once connected to the SSLVPN.

When I log all ICMP packets in the firewall packets in both directions are forwarded, not dropped.

When I Packet capture packets in the firewall I can see the packets appear to be forwarded and listed on the right interfaces.

There is no response however. If I run Wireshark on each end these endpoints while pinging across these are the results:

The VPN user will ping a local PC, the Local PC will not see those packets and the VPN user will not see the reply.

The Local PC will ping the VPN user and the VPN user WILL SEE those packets. However, the Local PC does not see a response and the packets on both ends are shown with '(no response found!)'.

I can VNC from the VPN machine to just about everything in the company using NetBIOS names. I can do DNS lookups against our DNS servers as well. Accessing the local machines via VNC will work with IP address, netbios/hostname or fqdn.

My setup in the SonicWall is as follows:

10.1.15.0/24 is set up as a Address Object in the SSLVPN zone

The SSLVPN Client settings have client routes to 10.1.1.0/24, 10.1.3.0/24 and 10.1.15.0/24. Tunnel All is Disabled. I have set our two DNS servers as well. Enabled NetBIOS over SSLVPN is set. The SSLVPN users group has access to those subnets as well. The user I am connecting with is a SSLVPN user and a trusted user.

There is an access rule from 10.1.15.0/24 to 10.1.1.0/24 and 10.1.3.0/24 to allow any.

I am not connecting with an overlapping subnet.

While I can VNC, I cannot RDP.

When I run IPCONFIG /ALL on the VPN PC I do not have a default gateway listed. I am given a IP address from the SSLVPN Pool, it indicates there is no DHCP server, and my subnet mask is 255.255.255.255

We had replaced an NSA240, but the VPN pool was also in our primary LAN and this was one of the many things we wanted to separate out and did not expect it to be so much of a struggle. We rebuilt our config ground-up from the old router, making the changes we wanted to make while keeping all the important stuff. Everything else has been working great. Additionally - I've tried creating routes, establishing 'dummy' version of the IPs sitting in a different zone, I've created all sorts of access rules in both SSLVPN > LAN and LAN > SSLVPN to allow traffic from the SSLVPN Network but as a LAN object, or as a VPN object, or both, etc, and traffic never hits them so I've junked them.... and they were all sort of hail mary attempts outside of the best practices documentation.

My best guess at this point is that even though the VPN client has a 'route' that is correct, it is not getting forwarded correctly in the SonicWall, but the SonicWall is forwarding them "somewhere". This does appear to not work at all on the SSLVPN -> LAN direction, but its a routing issue and not a firewall access issue. I just can't quite put my finger on the fix or why my issue deviates from the best practices when I feel I followed them pretty accurately.

Any help would be greatly appreciated!



Related Questions


Saving SonicWALL NAT Policies settings

Updated November 26, 2018 03:00 AM


Connecting wireless router to sonicwall firewall

Updated September 05, 2017 17:00 PM

SonicWall TZ205 Route traffic back to WAN IP

Updated September 28, 2017 13:00 PM

Configuring MikroTik wireless pppoe with another router

Updated November 27, 2015 15:00 PM