Wednesday, December 28, 2011

No Internet Access When Connected with SonicWALL Global VPN Client (GVC)

While setting up a Sonicwall TZ100 with GVC VPN for a client I ran into a little issue. I was able to get connected but not able to browse the Internet from my local machine once connected. I am by no way a Firewall expert but I have successfully set up several over the years. Since I do not work on Firewalls every day I forget a few things, but that's what they made Google for!

I quickly found the below article - No Internet Access When Connected with SonicWALL Global VPN Client (GVC).

I double checked all my settings and found where I had missed a couple. Made the adjustments and VPN connection works great.


Article Applies To: 
Affected SonicWALL Security Appliance Platforms:
Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)

Firmware/Software Version: All SonicOS Standard and Enhanced versions.
Services: GroupVPN




Problem Definition:
You are able to access the VPN network when connected through Global VPN Client; however, you cannot access the internet.

You can do Global VPN Client (GVC) connections to SonicWALL firewall using Split Tunnels (the simplest method and most popular).  This allows you to access your VPN resources while using your own local internet connection for all other traffic (like web surfing).  You can also choose a 'Tunnel All' (or 'Route All') configuration in which all of your internet traffic is first sent across your client VPN connection, and is then sent out from that firewall's internet connection. 

If you wish to do Split Tunnels connections with GVC to a SonicWALL GroupVPN policy, but some settings are wrong, your internet can be blocked.  Similarly, if using GVC in a Tunnel All configuration, the firewall needs certain settings for internet access to work (see the NAT Policy at the bottom).
Possible Causes and Resolution: 
- Under GroupVPN configuration (on the VPN - Settings screen), enabling the following options could cause GVC to drop internet traffic.
  • Default Gateway (Default LAN Gateway in Standard OS) - Allows the network administrator to specify the IP address of the default network router through which incoming IPSec packets for this VPN policy should be directed. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL security appliance. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route. If no route is found, the security appliance checks for a Default Gateway. If a Default Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
  • Allow Connections to - This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, the Internet traffic is blocked.
  • Set Default Route as this Gateway - If checked, this changes the Global VPN Client’s behavior to be a tunnel all configuration. If unchecked, the Global VPN Client must drop all non-matching traffic if Allow traffic to - This Gateway Only or All Secured Gateways is selected.  If checked along with Allow traffic to - This Gateway Only or All Secured Gateways, Internet traffic is sent through the VPN tunnel.
 
Note: If Set Default Route as this Gateway on the Client tab of the GroupVPN policy is unchecked and “Split Tunnels” is NOT selected, then Internet traffic is blocked. This option enables all remote VPN connections to access the Internet through this VPN tunnel. You can only configure one VPN policy to use this setting.
To confgure GroupVPN for Split Tunnels, follow these steps (for both SonicOS Standard and Enhanced):

Click the Edit icon for the WAN GroupVPN Policy. The VPN Policy window is displayed.
  1. Click the Advanced tab. Set Default Gateway to 0.0.0.0
  2. Click the Client tab. Set Allow Connections to - Split Tunnels.
  3. Uncheck Set Default Route as this Gateway.
  4. Click OK.
 
If the above settings do not provide a resolution, and if you are running SonicOS Enhanced, go to the Users - Local Users screen.  You will see that there is a VPN Access column.  If you mouse over each users’ VPN Access, the assigned and inherited network objects are displayed (in SonicOS Enhanced 3.x or greater).  Make sure for any split tunnel users, you don’t have the following objects configured:
- VPN DHCP Clients
- WAN RemoteAccess Networks
- any other network object which is unconfigured and thus has a value of 0.0.0.0

These kinds of objects can transform a Split Tunnel GroupVPN into a Tunnel All GroupVPN for any users who are assigned them, or who inherit them.  The more correct objects for VPN Accesspermissions are objects like ‘LAN Subnets’ or ‘Firewalled Subnets.’
 

If a remote user is still blocked from internet access when connected with GVC, you can check the following on the PC running Global VPN Client:
- Open a Command Prompt
- Type the command:  route print. 
- The route print should show only one route with a destination of 0.0.0.0 + 0.0.0.0, with the default gateway configured on the client PC. If it shows a second route with the GVC virtual adapter’s IP as the gateway, then you    have inherited a Route All Policy (possibly by accident).

To confgure GroupVPN for Tunnel All, follow these steps

Note: Only SonicWALL appliances running SonicOS Enhanced can route all internet traffic from the Global VPN Client through the VPN tunnel without help.  Appliances running SonicOS Standard and Firmware 6.x require a second internet gateway device on the SonicWALL LAN to accept the internet traffic.

SonicOS Standard:

Go to the VPN > Settings page. Click the Edit icon for the GroupVPN entry. The VPN Policy window is displayed.
  1. Click the Advanced tab. Set Default LAN Gateway to the IP address of a LAN based router / second Firewall. This second device must be capable of sending traffic to the internet without the SonicOS Standard firewall’s help.  Its IP address will be in the same subnet as the SonicWALL’s LAN IP address.
  2. Click the Client tab. Set Allow Connections to - This Gateway Only or All Secured Gateways.
  3. Check Set Default Route as this Gateway.
  4. Click OK.

SonicOS Enhanced:

The VPN > Settings page provides the SonicWALL features for configuring your VPN policies. You configure site-to-site VPN policies and GroupVPN policies from this page. Click the Edit icon for the GroupVPN entry. The VPN Policy window is displayed.
  1. Click the Advanced tab. Set Default Gateway to 0.0.0.0.
  2. Click the Client tab. Set Allow Connections to - This Gateway Only or All Secured Gateways
  3. Check Set Default Route as this Gateway.
  4. Click OK.


  5. Go to the Network - NAT Policies screen.  You must add a NAT policy which translates the traffic coming from the remote GVC user, as it goes through the WAN of the firewall towards the internet.  This is needed with or without the DHCP over VPN on the WAN GroupVPN Policy.  This NAT policy will not affect any traffic except traffic heading towards the internet from route all VPNs.  The NAT Policy should look like this:
    • Original Source:  Any
    • Translated Source: WAN Primary IP (or X1 IP)
    • Original Destination: Any
    • Translated Destination: Original
    • Original Service: Any
    • Translated Service: Original
    • Inbound Interface: X1 (or WAN)
    • Outbound Interface: X1 (or WAN)
    • Set Enable NAT Policy
    • Do NOT set Create a reflexive policy
    • Click OK.
KBID3523
Date Modified3/15/2010
Date Created10/16/2007


~Richard

SQL update not needed to resolve issue...

Sometimes I really feel like a putz. One of my clients asked me to change a program so that only active records from the Rolox file are displayed during searches. My initial thought is a two second change to either program to use logical file selecting on 'A' status records or a couple of lines of code in the RPG. I was partially right!

The Rolox file was designed by me in 1995 at the request of the owner of the company. He did not want to use Outlook contacts and wanted it in green screen. He also needs three fields to identify who would get a Christmas card, party invitation or wreath sent to an address as well as the standard contact information fields. The client wanted a one stop process for looking up phone numbers by name. 

Simple enough; I created the file with fields as needed and a maintenance program to add, update or change records in the file. There are three different types of records in the Rolox file, entries of people that are neither customers or vendors, customers from VAI VARCUST file and vendors from VAI VAPVEND file.  This process is created on the iSeries in RPG III and worked as required for six years.

I opened the Rolox file and through my due diligence I realized something is not right. I ran some SQL over the files to determine what the current status of the Rolox file and found many discrepancies.

select * from r37files/vapvend where not exists 
 (select * from r37ceudta/rolox where acdel = rxstus and acvend = rxid and 2 = rxecd);

select * from r37files/varcust where not exists 
 (select * from r37ceudta/rolox where rmdel = rxstus and rmcust = rxid and 1 = rxecd); 

There were thousands of records that did not exist in the Rolox file. This should not be the case since both the VAI customer maintenance and vendor maintenance programs were modified to add, change, delete from the Rolox file or at least so I remembered.

I then started looking at the VAI maintenance programs and found that the programs were not in the VAI modified library. This was a little disturbing. Before going any further I call the client and asked him to show me exactly where he was seeing the problem. First I realized that there are multiple menu options for the Rolox, maintain/edit and search. The client is using the search option and has not used the maintain/edit option in years.

   
At this point it all came back to me, back in 2000 I upgraded the client VAI S2K from version 3.2 to 3.7. During the planning stage I took advantage of the upgrade to get rid of the Rolox file and use the VAI customer and vendor files exclusively. The only additional fields are the party, card and wreath fields. Version 3.7 has a new feature called user defined fields. User defined fields can be created for the following files:
                                                           
     1. Setup                                                                 
     2. Item                                                                  
     3. Item Balance                                                          
     4. Vendor                                                                
     5. Chart of Accounts                                                     
     6. Customer                                                              
     7. Contacts                                                              
     8. Ship-To                                                               
     9. Prospect                                                              
    10. Opportunity                                                           

I had completely forgotten that I sold the client on allowing me to create a new inquiry program that would eliminate the Rolox file and only use the customer and vendor master files.

So the fix is a two second fix; I changed the following logical files to select records equal to status active only. They were originally coded as COMP(NE 'D')

-----------------------------------------------------
 VARCST90 - AR CUSTOMER MASTER LOGICAL BY NAME       
-----------------------------------------------------
         R ARCUSTR                   PFILE(VARCUST)  
         K RMNAME                                    
         S RMDEL                     COMP(EQ 'A')    

--------------------------------------------------
VAPVND90 - AP VENDOR MASTER LOGICAL BY NAME       
--------------------------------------------------
        R APVENDR                   PFILE(VAPVEND)
        K ACNAME                                  
        S ACACT                     COMP(EQ 'A')  

Recompiled the logical files and program.

I have done so many installations and modifications over the past ten years for many different clients and employers, I guess this one just slipped by me.

The client is happy and I am not charging him for a two second change that took me all day. While I was doing this I also installed and configured SQL Explorer on my PC and practiced SQL UPDATE, INSERT INTO, WHERE EXISTS, WHERE NOT EXISTS and SELECT. So not a total loss.

I have removed the old menu option and Rolox file from the system as I should have done years ago. 

It is a good feeling to know what I created ten years ago was the right thing to do and will stand the test of time.

~Richard



 

Tuesday, December 27, 2011

Good morning all...

I took a few days off for Christmas and now ready to crank up the job search again. My good programmer friend Rick Santiago, wife Lori and dogs Max and Annie came up to visit for the last 4 days. We really enjoyed having them here and had a great time.

I have some SQL to create today that will sync up two master files to one. This task will utilize UPDATE, INSERT INTO, WHERE EXISTS.

Have a great day,

~Richard

Friday, December 23, 2011

Dreaded "Automatic installation not complete" message...

While upgrading to i5/OS V6R1 from V5R4 I received a message I have not seen before, "Automatic installation not complete". I received this message after loading all the upgrade media and the IPL had completed. I proceeded to look for why the installation did not complete and found job log message 410196/QLPINSTALL/QLPINSTALL.
Message: Error while processing file MRMXH20010 in QUSRTMP.
Cause: Some objects may have been damaged. Save or Restore results cannot be predicted.
Tech Description: Error summary code E410. Device dependent error code.
CPPE468
MCH3601
CPD376B
Failed installation 5761XH2, 5761XW1,  *BASE


My belief is that the DVD was damaged. The client does not use the product but I would still like to see it installed. I plan on downloading and trying the install at a later date.

~Richard


 

Monday, December 19, 2011

Another successful upgrade to V6R1.....

Just got back home after another successful IBMi I5/OS V6R1 upgrade. I drove down to Ft. Lauderdale Thursday morning and stayed with my good friend and excellent programmer Rick Santiago. Him and his wife provided a place to sleep and great hospitality.

I spent 12 hours Friday, 12 hours Saturday and two on Sunday to complete the upgrade. I had an issue with installing one licensed program and failed to accomplish the extra credit of switching the console from Twinax to console on the LAN. I will post more details in the coming days.

The scope of work also included setting up a Sonicwall TZ100 firewall with VPN access.

Over all the upgrade is a success, and the company is functioning as normal this morning. The customer is very satisfied and has more work for me on the VAI System 2000 software setting up the General Ledger report writer and creating an Income Statement and P&L.

Have a great week!

~Richard

Tuesday, December 13, 2011

iSeries sessions not opening and EOD did not finish...

Sat down this morning and quickly noticed I am be requested to join a hangout named Help created by one of my clients.

Jason stated he cannot access the iSeries 5250 emulation screens. The sessions start up and are blank but show connected. Jason also stated that he cannot access the Operations Console.

I fired up a VPN connection and attempted to start a session with same result. The Operation Console started and gave me control panel access but no console session. I am a little confused why the console session would not start. I know that the problem is the QINTER subsystem is not started but did not realize that the console session would also run under QINTER. I have to look into that a little further.

With the Operation Control Panel up I could force an IPL but want to avoid if possible. I start up iSeries Navigator and expand Work Management and click on Active Jobs. I see the End of Day job with a message waiting. The CL attempts to shut down the subsystem and there is no monitor message code if the subsystem is already ended. The job halted and waiting for answer to message. Easy permanent fix to the program, never a problem before.

The problem was created when Jason inadvertently selected the wrong job scheduled entry to submit to batch. After he submitted the job he canceled it but the job had already progressed to the point of shutting down QINTER. Without realizing what was happening he left for the day.

I answered the message with I to ignore and let the End of Day complete normally. Problem resolved.

System I Navigator saves the day! With a little help from me. ;)

A simpler way would have been to just fire up a session in QCTL subsystem. Unfortunately we did not add a work station entry after the migration. I am fixing that now. This brings me back to why did the console session not start, it did not occur to me to add workstation entry since we now have Remote Console capabilities.



~Richard




Monday, December 12, 2011

Damage found on file QAYPSYSTEM in Library QMGTC

I had this same problem with my last migration but this time I won't let it slow me down. Always check full system save job log to make sure the save finished with no errors otherwise it will give you trouble during the upgrade.

Message ID CPF3285
Message - Damage found on file QAYPSYSTEM in library QMGTC.

I don't know what causes but problem but glad there is a fix so I can move on.

Management Central - File QMGTC/QAYPSYSTEM Damaged

 Incident Summary
Problem Summary: 
This document describes how to recover from a damaged QAYPSYSTEM file in library QMGTC.
Here are some of the error messages found regarding this issue:
CPF3285 -  Damage found on file QAYPSYSTEM in library QMGTC, was received during a system weekly and daily backups.
CPF8111 -   &8 damage on member &9 file &4. This message was found after a power failure .

Resolution: 
The QAYPSGRPCT, QAYPSYSGRP, and QAYPSYSTEM files in the QMGTC library need to be re-created or restored from backup. If these files are re-created, the system group constraints, the endpoint system list, and the group system list will be deleted. Therefore, whenever it is possible, restore the files from backup.
Note: Due to file constraints, the three files need to be all re-created, or all restored from backup.
Do the following to delete and re-create the files:
1.On the operating system command line, type the following:
ENDTCPSVR *MGTC , and press the enter key.
2.Delete the file QAYPSGRPCT in library QMGTC as follows:
On the operating system command line, type the following:
DLTF FILE(QMGTC/QAYPSGRPCT) RMVCST(*REMOVE) , and press the enter key.
3.Delete the file QAYPSYSGRP in library QMGTC as follows:
On the operating system command line, type the following:
DLTF FILE(QMGTC/QAYPSYSGRP) RMVCST(*REMOVE) , and press the enter key.
4.Delete the file QAYPSYSTEM in library QMGTC as follows:
On the operating system command line, type the following:
DLTF FILE(QMGTC/QAYPSYSTEM) RMVCST(*REMOVE) , and press the enter key.
5.On the operating system command line, type the following:
For V5R3:
CALL QSYS/QYPSSETUP PARM(V5R3M0)
For V5R4:
CALL QSYS/QYPSSETUP PARM(V5R4M0)
For V6R1:
CALL QSYS/QYPSSETUP PARM(V6R1M0)
Press the enter key.
For V7R1:
CALL QSYS/QYPSSETUP PARM(V7R1M0)
Press the enter key.
6.On the operating system command line, type the following:
STRTCPSVR *MGTC , and press the enter key.
Note: This process does not prevent the file(s) from getting damage again. If the problem with the damage object recurs, you should contact IBM Support.

References: 
None.

System i Support 


Monday, December 5, 2011

Copy source member from one machine to another...

In preparation for an upgrade from I5 V5R4 to V6R1 I needed to remotely apply PTF's and then apply permanently. The system I am currently working on only has Twinax Console which prevents me from running a Full System Save remotely. Once I finish the upgrade I will change the console to be LAN driven and resolve the issue. For now I have the need to do a couple of Full Saves and be able to accomplish this via remote.

I found an article a year or so back that provided example CL code on how to perform a full system save via remote or on a schedule.

Due to only having a Logmein connection to the Iseries I'm upgrading, I rather finish fine tuning the code using WDSC 6.0. I have a VPN connection to another client I recently upgraded so I developed the code on their machine and then needed to transfer to the machine I'm working on.

Here are the steps I used to transfer the code:

Modified source code to work for my scenario.

Create save file containing the source code.

        CRTSAVF FILE(QGPL/FULLSAV)

Save object source file to save file.
     
        SAVOBJ OBJ(QCLSRC) LIB(RBTEST) DEV(*SAVF) OBJTYPE(*FILE) 
          SAVF(QGPL/FULLSAV) TGTRLS(V5R4M0) FILEMBR((QCLSRC (FULLSAV))) 

Copy save file to IFS.

      CPYTOSTMF FROMMBR('/qsys.lib/qgpl.lib/fullsav.file') 
           TOSTMF(fullsav.savf) STMFOPT(*REPLACE)

Open iSeries Navigator and drag the save file to my desktop.

Using LogmeIn, I access a remote PC at the client site and transfer the save file to the PC with LogmeIn file manager.

FTP the save file to client iSeries using Windows command line FTP.

        Windows start / run type CMD enter.
         FTP XXX.XXX.XXX.XXX
         User name
         Password
         BIN
         CD QGPL
         PUT FULLSAV.SAVF

I like to play it safe so I will create a temporary hold library to restore the QCLSRC file and member.

      CRTLIB LIB(HOLD)

Restore object.

      RSTOBJ OBJ(QCLSRC) SAVLIB(RBTEST) DEV(*SAVF) SAVF(QGPL/FULLSAV)         FILEMBR((QCLSRC (FULLSAV))) MBROPT(*ALL) ALWOBJDIF(*ALL) RSTLIB(HOLD)

I then copy the source member to my testing library to complete the finishing touches and compile.

More on the code in the next blog.

~Richard