GVC network access issue
Ninad94
Newbie ✭
Hi guys,
Are u faced this kind of issue anywhere like when we connected to GVC we are getting fluctuation while accessing and pinging my internal lan resources but same is working fine when we connected to SSL VPN. I checked by changing the MTU value but still same issue. I did packet capture but no drop found. Currently I am having only one ISP so i can't check on alternate internet connection.
Category: High End Firewalls
0
Answers
Hello @Ninad94,
1) Are you using the same username while testing SSLVPN and GVC?
2) Is there any network IP overlap between your local subnet and the LAN resources that you are trying to access?
3) Is this taking place for all GVC users?
4) What version of GVC client are you using and what is the firmware on the firewall?
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @shiprasahu93
@Ninad94
Is GVC being used in split tunnel or route all mode? Also, is this a new set up or existing set up that just broke?
Based on the RTO on the client side, since you are not seeing any drops on the firewall as well, either the ping requests are not reaching the firewall, reaching but the internal device is not replying to all, or the response is not reaching back to the GVC user machine.
Is this taking place while you ping any device present on LAN? Also, can you share a screenshot of what you see in the packet capture.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @NINAD94,
I have few suggestions for you. The symptom reported by you could be caused by one of the following reasons.
Overlapping network:
Check whether the network you are connecting from and the network behind the SonicWall do not have identical networks. For eg. if you are in the 192.168.1.x/24 network and have connected to the SonicWall via the GVC, and have obtained a virtual IP address 192.168.1.27/24, you will not be able to access the remote SonicWall network of 192.168.1.x/24. The only solution to this would be to change one of the networks in question or to configure the GroupVPN to assign an IP address of a different interface.
Intermittent pings:
At times the ping test return one reply followed by request timed-out.
The VPN Access List contains incorrect objects like, All Interfaces IP or LAN/DMZ Interface IP.
There are interface configured in a loop.
EXAMPLE: X0 and X2 are both connected to same switch without VLAN.
The Virtual IP address assigned by the DHCP Server has already been assigned to another host in the network.
Multiple NICs on the computer behind the SonicWall:
If the host you are trying to access has multiple NICs, it is more likely than not that some traffic is being routed through the NIC not connected to SonicWall. Try disabling the second NIC and check.
Hope this info helps you. Let us know how it goes.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@shiprasahu93 GVC is running on split tunnel mode. this is not a new set up till yesterday it i working fine. From today only we are getting started facing this kind of issue.Yes For all devices in lan we are facing this issue.
@Ninad94,
You can check the suggestions given by @Saravanan1990_V.
If that does not help, I think we would need to generate a set of ping packets like burst of 10 or 20 and perform captures on the firewall and the end client to investigate further.
You can contact SonicWall support for real-time troubleshooting.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@Saravanan1990_V I dont think there is network overlapping because i tested o multiple user machine and get same kind of ping response.Also we are using 194.195.10.0 network for GVC user which is desperate dhcp scope not configured on any firewall interface.
I didnt get your second point. Which rule i need to check in firewall.
Third point that you suggest i need to check with my customer.
@Saravanan1990_V @shiprasahu93 anything else you want to suggest. should i check by changing phase 1 and phase 2 proposals??
@Ninad94,
The second point meant that the user is not somehow inheriting the VPN access of 'All Interface IP' or 'WAN Interface IP'. If this access is provided to a user group, it gets inherited to all users that are part of it.
Once the user is connect you can check the bubble under VPN access to see what permissions that user has. It should be LAN subnets or firewalled subnets but not Interface IPs.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @Ninad94 ,
The second point actually deals with checking the VPN access portion of the user account and ensure address objects such as All Interfaces IP or LAN/DMZ Interface IP are not used. You can use LAN Subnets, DMZ Subnets or any custom address objects as per your requirement.
It also suggests to check if same network switch is being used between multiple interfaces of SonicWall as it leads to network loop causing intermittent drops for traffic passing via SonicWall appliance.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@shiprasahu93 @Saravanan1990_V issue is resolved now. In firewall logs i found UDP flooding on port 500 and 4500. So i just increase threshold value for UDP flood protection to 20000. And after that I am getting proper ping response
@Ninad94,
I am glad that your issue is fixed. UDP Flood protection is not turned ON by default. Also, it should have shown you dropped packets if that was the reason.
But, as long as you are up and running, we should be good.
Thanks for sharing the results.
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @Ninad94,
We are glad to hear that you are all set. We should really appreciate your efforts in fixing the issue. Hopefully, next time we can provide you some precise tips when you are here. Once again thanks for keeping us posted.
Have a better day!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @shiprasahu93 @Saravanan1990_V Thank for you quick response. I just want to know is it recommended to enable UDP or ICMP flood protection inn firewall..?? or its better to keep it disable
Hey @Saravanan1990_V
I think I am working with you on many cases related to analyser and GMS and everytime i always got a proper solution. This time also you provided a best solution next time while troubleshooting this kind of issue I also remember you second point i.e There should not be interface IP is included in vpn access of user.
Hi @Ninad94,
UDP Flood attack is a type of Denial-of-Service (DoS). They are initiated by sending a large number of UDP packets to a remote host. As a result, the victimized system's resources will be consumed with handling the attacking packets, which eventually causes the system to be unreachable by other clients.
In your case, the legitimate GVC traffic is treated to be UDP flood by the SonicWall appliance since GVC users send loads of UDP packets which are expected. I would suggest you to either tweak the UDP Threshold value to a higher one. You can check the SonicWall logs for the threshold value attained for the GVC access. Make sure you define a value more than the SonicWall log messages defined one.
We have an KB article to disable the UDP flood protection in case of legitimate UDP traffics blocked by SonicWall as false positive. I would suggest to go with threshold value increase rather than disabling the complete feature considering security risks. Attaching the KB for your view just in case.
Hope this answers your question.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@Ninad94,
I have seen running into issues like this with VoIP and Skype with UDP Flood protection. That is the reason it is not turned ON by default. You can certainly use it but please be mindful of the thresholds.
You should not see those restrictions with ICMP though.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@Ninad94 - Yes, we have worked together on lot of Firewall and GMS support cases 🙂
Glad to have you here in our SonicWall Community Portal - a new channel to serve all SonicWall Users / Customers / Partners / Employees. We ensure and believe, you will continue to get best service here on this channel as well.
Thanks and have a good one!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
@shiprasahu93 yes Right. I am also seen same issue for voip traffic and also recently we were facing the issue like while doing video call on Microsoft team when three or more than three people joined a call video and audio quality went down so in packet capture we found drop related to UDP flood and after changing threshold value issue got resolved.