Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register
Options

TZ400 Site To Site VPN to Azure seems to be connecting, but unable to find a server?

ferlessleedrferlessleedr Newbie ✭
in Entry Level Firewalls

I've got a TZ400 that I've set up a site to site connection to a VPN gateway in Azure, on the same vnet as an ubuntu machine we've got up there. When I connect to the VPN directly from my PC I'm able to ssh to the ubuntu machine at its local address, a 10.1.X.X address. It doesn't have its own publicly facing IP. However, using the site to site connection in the firewall I'm getting nothing, either from a computer connected to the NetExtender VPN nor from a device that's on-site on the network behind the firewall.

To set this up I followed the process listed here: https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-vpn-between-a-sonicwall-firewall-and-microsoft-azure/170505320011694/

In VPN/Settings I show this under Currently Active VPN Tunnels:

image.png

The EximWareTunnel is an entirely separate thing but it's worth mentioning that it's working and also the Local range is an actual range that we use. The Gateway IP is the static public IP address of the Azure virtual network gateway. The gateway itself is a Basic SKU. Traffic doesn't seem to be flowing either direction according to the VPN Tunnel Statistics in the VPN Base Settings page, or from the Connection's data in Azure.

Any advice here? More info I should provide?

Thanks.

Category: Entry Level Firewalls
Reply

Answers

  • Options
    TonyATonyA SonicWall Employee

    Hi @ferlessleedr

    You mention a net extender connection - do you have this set up in a hub and spoke way?

    NX -> Sonicwall Firewall -> Azure

    So you in the site to site VPN policy with Azure, in the local networks do you have the Net Extender SSLVPN IP Scope address object there as well? and on the remote networks side on Azure?

    As for the device on site, could you run a packet capture (Destination based) and see if there is any dropped packets on the Sonicwall?

  • Options
    ferlessleedrferlessleedr Newbie ✭

    Thanks for getting back to me. Yeah, that's how the connection would go. As I type this I'm onsite, so not connecting with the VPN but because our users are already using the NetExtender VPN to connect to the firewall when working from home we'd like to not change their workflow at all as we move onsite resources into the Azure cloud. The NX connection is known good, been working fine for years. I just tried pinging a machine in Azure at it's private IP (10.1.0.5) and it still didn't work from onsite, so I don't think the NX connection is the problem, I'm guessing it's something with how I've set up the connection between the Sonicwall and Azure.

    As for VPN Policy, I went through this article exactly: https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-vpn-between-a-sonicwall-firewall-and-microsoft-azure/170505320011694/

    For the Sonicwall settings, I used the resolution for the 6.5 firmware and the device in question is currently on SonicOS Enhanced 6.5.4.13-105n. That article didn't have me go into the SLL VPN section at all so I haven't gone into anything there at all.

    I ran a packet capture while I pinged our machine and it looks like it is dropping the packets in question, here's the packet detail of one of them:

    Ethernet Header

     Ether Type: IP(0x800), Src=[8c:ae:4c:c4:35:80], Dst=[18:b1:69:d3:45:bc]

    IP Packet Header

     IP Type: ICMP(0x1), Src=[192.168.1.179], Dst=[10.1.0.5]

    ICMP Packet Header

     ICMP Type = 8(ECHO_REQUEST), ICMP Code = 0, ICMP Checksum = 18087

    Value:[1]

    DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 1:2)

    Hopefully this is helpful? My apologies, networking stuff is my one massive blind spot and weakness as an IT guy.

  • Options
    TonyATonyA SonicWall Employee
    edited October 2023

    Hi @ferlessleedr

    If you have a site to site VPN, only networks in the Local/remote networks in the Networks tab will be allowed to communicate.

    If you have users connecting to the SonicWALL firewall via SSLVPN and need to reach resources across a site to site VPN, their network (SSLVPN IP Range) needs to be included on the Sonciwall firewall's local networks in the networks tab on the VPN policy, as well as having this same network on the remote networks on the remote side of the site to site vpn tunnel.

    On top of that, the you would need to include the remote network on the azure side in the client path in SSLVPN client settings, as well as the VPN access tab in the Users/user groups section for those sslvpn users.


    For on site - if that capture is from a device from behind the Sonicwall firewall network, the drop is policy drop which is most likely an access rule.

    Also, just noticed that you have a 0.0.0.0 object for local network for the firewall -I would advise to make this specific - create an address object group and add the network objects you need to communicate with. Also, the Remote networks in the first screen shot shows network 20.1.x.x but in the capture with the policy drop, we can see 10.1.x.x

Sign In or Register to comment.