Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

Unable to Access AWS EC2 Resources over Site-to-Site VPN

ArturusDentArturusDent Newbie ✭
in VPN Client

We have a site-to-site VPN setup between our VPC (vpc-6d9c8505, 172.31.0.0/16) and our office network (10.253.1.0/24) using a SonicWall TZ-400. The SonicWall shows both tunnels up, I can ping our EC2 instances, but can't RDP into them. I can also ping from the EC2 server to local resources, but can't access them (ie. pings my printer, but can't print to it). RDP and accessing network shares DOES work using the Client VPN Endpoint (via OpenVPN)

Note: This WAS working prior to us trying to replace our old unmanaged switch between the SonicWall and the office LAN with the TP-Link. Now, even if I put the unmanaged switch back in place, it still fails. Since the VPN client works, it fails with both switches, and security is completely open on the AWS side, the only thing I'm really left with is the SonicWall.

Tried so far:

Added an Allow All 0.0.0.0/0 rule to our AWS Security Group and Allow All in ACLs. All incoming/outgoing is currently open on the AWS VPC side.

RDP works over the VPN client, but not the site-to-site VPN, which should rule out RDP itself being blocked at my PC or the EC2 server

Ping and Tracert from PC to EC2 are successful, RDP and telnet over 3389 fail (site-to-site VPN only) in both directions. Printing from EC2 Instance to office printer also fails, so it's not specific to 3389.


AWS Info:

VPC vpc-6d9c8505

Instance i-0ac5cd9f17e955973

VPN vpn-026a37fb70428b34d


Our Network:


Verizon Router (192.168.1.1 internal, 96.x.x.x public)

V

SonicWall TZ400

Site-to-site VPN to AWS Resources

10.253.1.1 interface

Handles DHCP

V

TP-Link T1600G-28PS Switch

10.253.1.5 interface

No VLANs, QoS, Security configured. Aside from changing the interface from the default 192.168.0.1, it's as unmanaged as it can get out of the box

V

Office Network (10.253.1.0/24)

Category: VPN Client
Reply

Answers

  • shiprasahu93shiprasahu93 Moderator

    Hello @ArturusDent,

    Welcome to SonicWall community.

    I would suggest performing a packet capture to understand how the packets are being processed on the firewall and if any configuration changes are required.

    https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-and-utilize-the-packet-monitor-feature-for-troubleshooting/170513143911627/

    Since, AWS usually asks for two simultaneous VPN connections, please check if the traffic is going through one and returning through the other. To support that we would need to enable asymmetric routing on the VPN tunnel interfaces created under MANAGE | Network | Interfaces section.

    image.png

    Let us know what you find.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • ArturusDentArturusDent Newbie ✭

    Thanks for the quick response.

    The two VPN tunnels do show outgoing on one, incoming on the other with traffic on both. Packet Capture at the SonicWall shows the incoming packets from the cloud server to my PC over 3389 being dropped.

    Full capture is attached.

    Ethernet Header

     Ether Type: IP(0x800), Src=[20:c0:47:15:ff:00], Dst=[18:b1:69:05:e2:f1]

    IP Packet Header

     IP Type: TCP(0x6), Src=[172.31.35.60], Dst=[10.253.1.110]

    TCP Packet Header

     TCP Flags = [SYN,ACK,], Src=[3389], Dst=[51411], Checksum=0x9951

    Application Header

     Not Known

    Value:[1]

    DROPPED, Drop Code: 736(Packet dropped -

    cache add cleanup drop the pkt), Module Id: 25(network), (Ref.Id: _2205_ecejgCffEngcpwr) 2:2)


    packet-t.txt
    SonicWall Static Routing.png


  • TCGTCG Newbie ✭

    Did you ever find a solution for this issue? Currently experiencing this as well, same exact packet dropped code

Sign In or Register to comment.