No routes for SSLVPN clients unless "tunnel all" mode is enabled
TZ-600 Sonic OS 126.96.36.199 NE Client 9.0.274
as the title says I cannot get client routes for the Net Extender/Moblile connect client unless Tunnel all is enabled in the SSLVPN client configuration
I've done the following:
- Created virutal IP pool seperate from the network.
- Created Virtual LAN subnet
- created Nat Rules for both
I'm following this guide due to the situation we have with some of the roving users: https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-ssl-vpn-netextender-for-clients-with-overlapping-subnet/170504796310067/
some back story, this TZ-600 is replacing a TZ215. I set it up from scratch.
All the site to site connections work. the one hold out GVC install (Me) works just fine. Prior to the changeover the SSL clients worked just fine however "tunnel all" mode isn't wanted because it prevents zoom, teams and Outlook o365 connections from working on the remote host. We also don't want them streaming music through our WAN. Users are currently working off the old firewall till I get this solved.
any idea of what I am missing?
This is not a usual behavior, may I request you to please check the client routes again and make sure that the dummy network is added to it. and also under VPN access for the SSL VPN service group, We have a KB addressing a similar error: https://www.sonicwall.com/support/knowledge-base/error-connection-failure-no-routes-found-in-netextender-for-sslvpn-connection/170503292558209/.
If you are still facing the issue then I would suggest getting the settings checked by our Support team once.
Knowledge Management Senior Analyst at SonicWall.6
Hello @LJTech ,
I hope you are doing Good!
The article you are referring is for overlapping subnets so I assume the same in your case, Can you please let me know the following:
Example: If the actual network is 192.168.10.x and the dummy network is 192.168.20.x, to test you should be trying to access 192.168.20.x.
Knowledge Management Senior Analyst at SonicWall.
I'm doing well thanks!
I may have typed that wrong. there is only one NAT rule as specified in the document.
I can connect to the dummy network. and the resources are available through it.
The actual problem is in the title though. SSLVPN connections work when tunnel all is enabled in the SSLVPN client properties.
When I disable tunnel all, the connection fails in NetExtender with the error "no client routes found"
We don't want tunnel all enabled because they are using their home PC's and do not want any of their music or web traffic to go through our WAN.
Okay thanks. this weekend i'll have a chance to revew the configuration on the production one and double check all the rules and such.
If that doesn't work then are you saying I should open up a ticket in the support portal and send my config file?
Thanks for your help.