Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NetExtender doesn't pass traffic on most connection attempts

austex_aecaustex_aec Newbie ✭

I have Sonicwall TZ appliances in each of four locations, as summarized below. All nodes are connected to each other using IPSec Tunnels. All four nodes are configured identically; the only differences are in the relative subnet addresses.

Location 1, 10.1.x.x subnet, TZ350, 6.5.4.5-53n

Location 2, 10.2.x.x subnet, TZ300W, 6.5.4.6-79n (recently HotFixed *)

Location 3, 10.3.x.x subnet, TZ350W, 6.5.4.6-79n

Location 4, 10.4.x.x subnet, TZ300w, 6.5.4.5-53n

Ever since I upgraded Location 2 and Location 3 to 6.5.4.6-79n, my users have had trouble acquiring a proper connection to those appliances using NetExtender from their Windows 10 laptops.  

When using NetExtender, the end users usually have to try several times before they get a successful connection. When it fails (~80% of the time), the user does authenticate properly, and they get an IP address in the proper range, but no traffic is passed between the SSLVPN user and the LAN. Each time that it fails, the logs report information like this:

destination for 10.2.0.3 is not allowed by access control [this is my dns server]

destination for 224.0.0.251 is not allowed by access control

destination for 10.1.0.3 is not allowed by access control [this is my secondary dns server]

destination for 224.0.0.251 is not allowed by access control

destination for 239.255.255.250 is not allowed by access control

destination for 255.255.255.255 is not allowed by access control

destination for 224.0.0.22 is not allowed by access control

After about a minute of this failed traffic, the NetExtender client disconnects. Then the user repeats the process 4-5 times until they connect and are able to pass traffic. When the connection is successful, no such firewall errors are reported and the user can remain connected, passing traffic, all day.

Initially, the users also had trouble maintaining a connection using MobileConnect, but that error appears to have been resolved with a recent hotfix (*) that was supplied by support. This hotfix, however, did not solve the problem with NetExtender.  While I'm happy and thankful that support was able to fix the issue with MobileConnect, I'd prefer for the users to use NetExtender for a variety of reasons, so I'm eager to get it working properly. Can anybody lend any insight as to what I might be able to do to prevent the errors outlined above, and thus allowing traffic 100% of the time that users connect?

Of note: 

The IP address range that I use for SSLVPN users does not overlap any other networks or ranges on any other interfaces on the Sonicwall.

The configuration didn't change after upgrading from 6.5.4.5-53n to 6.5.4.6-79n. Connections were always successful on 6.5.4.5-53n.

I foolishly assumed that I had a good cloud backup of my configuration on 6.5.4.5-53n, but those cloud backups didn't actually get saved.

We have tried numerous NetExtender versions, including 9.0.0.274, 10.0.0.297, and 10.2.0.300.

Packet captures indicate the same error as the regular logs, which is to say that it suggests that I have a rule in place prohibiting traffic. As far as I can tell, I do not have any such rule. The fact that the users do eventually get a connection that is able to pass traffic seems to support this.

Anyway, I welcome any and all feedback. Thanks in advance.

Category: SSL VPN
Reply
Tagged:

Answers

  • Hi!

    Have you tried creating an ACL from SSLVPN zone to LAN zone allowing everything?

    This is supposed to be a default rule created by the firewall itself. But you can try and create a new one. Remember to put in top.

  • austex_aecaustex_aec Newbie ✭

    Yes, I've created "allow all" rules for SSLVPN to LAN, and for LAN to SSLVPN. The fact that MobileConnect always works, and NetExtender works fine after several attempts seems to suggest that the issue isn't related to an access rule.

    As previously noted, users have to attempt to connect with NetExtender several times before they're successful. Once they're successful, though, then the connection is solid for the entire day.

    Only the unsuccessful attempts lead to the log issues that I noted in the original post.

    I recently noticed a similar conversation in the sonicwall Reddit. At least a couple of other people are experiencing the same thing.

  • You can always open a case to Support.

  • austex_aecaustex_aec Newbie ✭

    Yeah, I've had a case open with support for a few weeks. I was just hoping that somebody here would have experienced and solved the same issue already.

Sign In or Register to comment.