Wednesday, December 28, 2011

No Internet Access When Connected with SonicWALL Global VPN Client (GVC)

While setting up a Sonicwall TZ100 with GVC VPN for a client I ran into a little issue. I was able to get connected but not able to browse the Internet from my local machine once connected. I am by no way a Firewall expert but I have successfully set up several over the years. Since I do not work on Firewalls every day I forget a few things, but that's what they made Google for!

I quickly found the below article - No Internet Access When Connected with SonicWALL Global VPN Client (GVC).

I double checked all my settings and found where I had missed a couple. Made the adjustments and VPN connection works great.


Article Applies To: 
Affected SonicWALL Security Appliance Platforms:
Gen5: NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 240
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 Wireless,
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless, TZ 150, TZ 150 W, TZ 150 Wireless (RevB)

Firmware/Software Version: All SonicOS Standard and Enhanced versions.
Services: GroupVPN




Problem Definition:
You are able to access the VPN network when connected through Global VPN Client; however, you cannot access the internet.

You can do Global VPN Client (GVC) connections to SonicWALL firewall using Split Tunnels (the simplest method and most popular).  This allows you to access your VPN resources while using your own local internet connection for all other traffic (like web surfing).  You can also choose a 'Tunnel All' (or 'Route All') configuration in which all of your internet traffic is first sent across your client VPN connection, and is then sent out from that firewall's internet connection. 

If you wish to do Split Tunnels connections with GVC to a SonicWALL GroupVPN policy, but some settings are wrong, your internet can be blocked.  Similarly, if using GVC in a Tunnel All configuration, the firewall needs certain settings for internet access to work (see the NAT Policy at the bottom).
Possible Causes and Resolution: 
- Under GroupVPN configuration (on the VPN - Settings screen), enabling the following options could cause GVC to drop internet traffic.
  • Default Gateway (Default LAN Gateway in Standard OS) - Allows the network administrator to specify the IP address of the default network router through which incoming IPSec packets for this VPN policy should be directed. Incoming packets are decoded by the SonicWALL and compared to static routes configured in the SonicWALL security appliance. Since packets can have any IP address destination, it is impossible to configure enough static routes to handle the traffic. For packets received via an IPSec tunnel, the SonicWALL looks up a route. If no route is found, the security appliance checks for a Default Gateway. If a Default Gateway is detected, the packet is routed through the gateway. Otherwise, the packet is dropped.
  • Allow Connections to - This Gateway Only - Allows a single connection to be enabled at a time. Traffic that matches the destination networks as specified in the policy of the gateway is sent through the VPN tunnel. If this option is selected along with Set Default Route as this Gateway, the Internet traffic is also sent through the VPN tunnel. If this option is selected without selecting Set Default Route as this Gateway, the Internet traffic is blocked.
  • Set Default Route as this Gateway - If checked, this changes the Global VPN Client’s behavior to be a tunnel all configuration. If unchecked, the Global VPN Client must drop all non-matching traffic if Allow traffic to - This Gateway Only or All Secured Gateways is selected.  If checked along with Allow traffic to - This Gateway Only or All Secured Gateways, Internet traffic is sent through the VPN tunnel.
 
Note: If Set Default Route as this Gateway on the Client tab of the GroupVPN policy is unchecked and “Split Tunnels” is NOT selected, then Internet traffic is blocked. This option enables all remote VPN connections to access the Internet through this VPN tunnel. You can only configure one VPN policy to use this setting.
To confgure GroupVPN for Split Tunnels, follow these steps (for both SonicOS Standard and Enhanced):

Click the Edit icon for the WAN GroupVPN Policy. The VPN Policy window is displayed.
  1. Click the Advanced tab. Set Default Gateway to 0.0.0.0
  2. Click the Client tab. Set Allow Connections to - Split Tunnels.
  3. Uncheck Set Default Route as this Gateway.
  4. Click OK.
 
If the above settings do not provide a resolution, and if you are running SonicOS Enhanced, go to the Users - Local Users screen.  You will see that there is a VPN Access column.  If you mouse over each users’ VPN Access, the assigned and inherited network objects are displayed (in SonicOS Enhanced 3.x or greater).  Make sure for any split tunnel users, you don’t have the following objects configured:
- VPN DHCP Clients
- WAN RemoteAccess Networks
- any other network object which is unconfigured and thus has a value of 0.0.0.0

These kinds of objects can transform a Split Tunnel GroupVPN into a Tunnel All GroupVPN for any users who are assigned them, or who inherit them.  The more correct objects for VPN Accesspermissions are objects like ‘LAN Subnets’ or ‘Firewalled Subnets.’
 

If a remote user is still blocked from internet access when connected with GVC, you can check the following on the PC running Global VPN Client:
- Open a Command Prompt
- Type the command:  route print. 
- The route print should show only one route with a destination of 0.0.0.0 + 0.0.0.0, with the default gateway configured on the client PC. If it shows a second route with the GVC virtual adapter’s IP as the gateway, then you    have inherited a Route All Policy (possibly by accident).

To confgure GroupVPN for Tunnel All, follow these steps

Note: Only SonicWALL appliances running SonicOS Enhanced can route all internet traffic from the Global VPN Client through the VPN tunnel without help.  Appliances running SonicOS Standard and Firmware 6.x require a second internet gateway device on the SonicWALL LAN to accept the internet traffic.

SonicOS Standard:

Go to the VPN > Settings page. Click the Edit icon for the GroupVPN entry. The VPN Policy window is displayed.
  1. Click the Advanced tab. Set Default LAN Gateway to the IP address of a LAN based router / second Firewall. This second device must be capable of sending traffic to the internet without the SonicOS Standard firewall’s help.  Its IP address will be in the same subnet as the SonicWALL’s LAN IP address.
  2. Click the Client tab. Set Allow Connections to - This Gateway Only or All Secured Gateways.
  3. Check Set Default Route as this Gateway.
  4. Click OK.

SonicOS Enhanced:

The VPN > Settings page provides the SonicWALL features for configuring your VPN policies. You configure site-to-site VPN policies and GroupVPN policies from this page. Click the Edit icon for the GroupVPN entry. The VPN Policy window is displayed.
  1. Click the Advanced tab. Set Default Gateway to 0.0.0.0.
  2. Click the Client tab. Set Allow Connections to - This Gateway Only or All Secured Gateways
  3. Check Set Default Route as this Gateway.
  4. Click OK.


  5. Go to the Network - NAT Policies screen.  You must add a NAT policy which translates the traffic coming from the remote GVC user, as it goes through the WAN of the firewall towards the internet.  This is needed with or without the DHCP over VPN on the WAN GroupVPN Policy.  This NAT policy will not affect any traffic except traffic heading towards the internet from route all VPNs.  The NAT Policy should look like this:
    • Original Source:  Any
    • Translated Source: WAN Primary IP (or X1 IP)
    • Original Destination: Any
    • Translated Destination: Original
    • Original Service: Any
    • Translated Service: Original
    • Inbound Interface: X1 (or WAN)
    • Outbound Interface: X1 (or WAN)
    • Set Enable NAT Policy
    • Do NOT set Create a reflexive policy
    • Click OK.
KBID3523
Date Modified3/15/2010
Date Created10/16/2007


~Richard

4 comments:

  1. Thank you for the great info. I'd followed another post's advice and lost the split-tunnel. Your info fixed the issue.

    ReplyDelete
  2. Very helpful. Seems like a lack of solid information on troubleshooting SonicWall split-tunneling issues on the web. Thanks for posting this.

    ReplyDelete
  3. Thank you.Great info.Very helpful post.
    top10-bestvpn.com

    ReplyDelete
  4. Thank you! The CMD route print command helped me learn I was still inheriting a Route All Policy and eventually lead me the to the user group causing the problem!

    ReplyDelete