Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

NetExtender on Linux - connection establishes, but no traffic comes in.

thomasuebelthomasuebel Newbie ✭
edited August 2021 in SSL VPN

Hey everyone,

I'm looking for support with the Linux Client of NetExtender.

For our Linux clients the connection with Nx is established successfully, but then data is sent, but none is received. I've checked the list of interfaces and the ppp0 created by Nx comes back as "UNKNOWN". Is this normal behaviour?

FYI: the output was:

  • 11: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1280 qdisc fq_codel state UNKNOWN group default qlen 3
  • link/ppp
  • inet 10.46.10.26 peer 192.0.2.1/32 scope global ppp0
  • valid_lft forever preferred_lft forever

Just before establishing the connection, syslog shows:

Aug 20 09:26:36 it-nb4863 NetworkManager[1222]: <info> [1629444396.4903] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/14)

Aug 20 09:26:36 it-nb4863 pppd[24105]: Connect: ppp0 <--> /dev/pts/1

Aug 20 09:26:36 it-nb4863 systemd-udevd[24106]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.

Aug 20 09:26:36 it-nb4863 pppd[24105]: local IP address 10.46.10.27

Aug 20 09:26:36 it-nb4863 pppd[24105]: remote IP address 192.0.2.1

Aug 20 09:26:36 it-nb4863 NetworkManager[1222]: <info> [1629444396.6455] device (ppp0): state change: unmanaged -> unavailable (reason 'connection-assumed', sys-iface-state: 'external')

Aug 20 09:26:36 it-nb4863 NetworkManager[1222]: <info> [1629444396.6464] device (ppp0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'external')

Aug 20 09:26:37 it-nb4863 systemd[2498]: tracker-extract.service: Succeeded.

Aug 20 09:26:37 it-nb4863 sonicwall-netextender.desktop[18616]: Client IP Address: 10.46.10.27


Our windows clients seem not to have this issue, so I'm wondering if it's some configuration that we're missing either on our Linux side for the clients or within the VPN?

Category: SSL VPN
Reply
Tagged:

Best Answers

  • CORRECT ANSWER
    DeuceqDeuceq Newbie ✭
    Answer ✓

    Thanks Alberto...Solved the issue. Somehwere on the network an IP that was for SSLVPN was auto assigned somehow to another device. Once that 5th person would connect then IP/conflicts/network issues prevented the connection of anyone else.

  • CORRECT ANSWER
    DeuceqDeuceq Newbie ✭
    Answer ✓

    Windows clients seemed to connect fine but Linux would not... Anyone with this issue I would suggest checking for IP conflicts first

Answers

  • When Nx starts wrting the routes this looks somewhat peculiar: (Writing route: 217.110.247.28/<NULL>)

    08/20/2021 11:01:06.410 [routing debug  51994] write_sslvpn_route:Writing route: 217.110.247.28/<NULL>, gw 192.168.1.1, if wlo1, type HOST, isNx false

    08/20/2021 11:01:06.411 [routing debug  51994] write_sslvpn_route:Route setup: /sbin/ip route add 217.110.247.28 via 192.168.1.1 dev wlo1

    08/20/2021 11:01:06.413 [routing debug  51994] write_sslvpn_route:Route cleanup: /sbin/ip route del 217.110.247.28 via 192.168.1.1 dev wlo1

    08/20/2021 11:01:06.414 [routing debug  51994] write_sslvpn_route:Writing route: 192.168.1.1/<NULL>, gw <NULL>, if wlo1, type HOST, isNx false

    08/20/2021 11:01:06.415 [routing debug  51994] write_sslvpn_route:Route setup: /sbin/ip route add 192.168.1.1 dev wlo1

    08/20/2021 11:01:06.417 [routing debug  51994] write_sslvpn_route:Route cleanup: /sbin/ip route del 192.168.1.1 dev wlo1

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭
    edited August 2021

    What routes do you actually end up with on the client after connecting?

    Perhaps /<NULL> is just a slightly odd way of logging that it's a /32?


    10.2.817 is working fine for me, BTW.

  • Thanks for your response Arkwright!

    I've checked after connecting with Nx, this is what I get:

    thomas@it-nb4863:~/Downloads/netExtenderClient$ ip route

    default via 10.46.10.11 dev ppp0

    default via 192.168.1.1 dev wlo1 proto dhcp metric 600

    3.120.0.0/14 via 10.46.10.11 dev ppp0

    10.40.4.2 via 10.46.10.11 dev ppp0

    10.41.0.0/16 via 10.46.10.11 dev ppp0

    10.42.0.0/16 via 10.46.10.11 dev ppp0

    10.43.0.0/16 via 10.46.10.11 dev ppp0

    10.44.0.0/16 via 10.46.10.11 dev ppp0

    10.60.0.0/16 via 10.46.10.11 dev ppp0

    10.60.160.31 via 10.46.10.11 dev ppp0

    10.65.0.0/16 via 10.46.10.11 dev ppp0

    10.66.0.0/16 via 10.46.10.11 dev ppp0

    10.177.0.0/16 via 10.46.10.11 dev ppp0

    10.210.0.0/16 via 10.46.10.11 dev ppp0

    13.74.145.179 via 10.46.10.11 dev ppp0

    18.184.230.238 via 10.46.10.11 dev ppp0

    18.195.207.165 via 10.46.10.11 dev ppp0

    18.196.98.61 via 10.46.10.11 dev ppp0

    23.102.36.216 via 10.46.10.11 dev ppp0

    40.112.94.8 via 10.46.10.11 dev ppp0

    52.28.144.127 via 10.46.10.11 dev ppp0

    52.28.173.255 via 10.46.10.11 dev ppp0

    52.29.0.0/16 via 10.46.10.11 dev ppp0

    52.178.183.23 via 10.46.10.11 dev ppp0

    52.236.39.189 via 10.46.10.11 dev ppp0

    54.93.144.191 via 10.46.10.11 dev ppp0

    128.0.0.0/1 via 10.46.10.11 dev ppp0

    138.91.49.184 via 10.46.10.11 dev ppp0

    168.61.81.151 via 10.46.10.11 dev ppp0

    169.254.0.0/16 via 10.46.10.11 dev ppp0

    169.254.0.0/16 dev br-565c9987257e scope link metric 1000 linkdown

    172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

    172.18.0.0/16 dev br-565c9987257e proto kernel scope link src 172.18.0.1 linkdown

    192.0.2.1 dev ppp0 proto kernel scope link src 10.46.10.11

    192.168.1.0/24 via 10.46.10.11 dev ppp0

    192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.145 metric 600

    192.168.1.1 dev wlo1 scope link

    217.110.247.28 via 192.168.1.1 dev wlo1

    thomas@it-nb4863:~/Downloads/netExtenderClient$ ip route show dev wlo1

    default via 192.168.1.1 proto dhcp metric 600

    192.168.1.0/24 proto kernel scope link src 192.168.1.145 metric 600

    192.168.1.1 scope link

    217.110.247.28 via 192.168.1.1


    After disconnecting Nx it gets reset to:


    thomas@it-nb4863:~/Downloads/netExtenderClient$ ip route show dev wlo1

    default via 192.168.1.1 proto dhcp metric 600

    192.168.1.0/24 proto kernel scope link src 192.168.1.145 metric 600

    thomas@it-nb4863:~/Downloads/netExtenderClient$ ip route

    default via 192.168.1.1 dev wlo1 proto dhcp metric 600

    169.254.0.0/16 dev br-565c9987257e scope link metric 1000 linkdown

    172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1

    172.18.0.0/16 dev br-565c9987257e proto kernel scope link src 172.18.0.1 linkdown

    192.168.1.0/24 dev wlo1 proto kernel scope link src 192.168.1.145 metric 600

  • prestonpreston Enthusiast ✭✭

    @thomasuebel , what firmware are you running on the firewall? if is a Gen 6 appliance is it on 6.5.4.8-89n ?

    if so make sure the below is enabled in the SSL VPN Server settings


  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    OK, your problem clearly isn't due to a lack of routes then.

    The /<NULL> routes are a red herring too as they've worked fine [I assume they're "failsafe" routes so the client can still reach it's default gateway and the firewall it's connected to, after installing all the other routes sent as part of the VPN connection].

  • I'm not quite sure. When Nx is connected, no PING or Traceroute will work. It's not a DNS issue either, because it also desn't work for IP addresses. I assume "default via 10.46.10.11 dev ppp0" is a tunnel-all via the ppp0 device that Nx creates. So neither VPN IP Addresses nor any outside IP Addresses are reachable. :/

  • nocodenocode Newbie ✭
    edited October 2021

    Has anyone figured this out? I'm running into a similar option once we enabled 2FA on our logins. I'm on the latest Linux version

    NetExtender for Linux - Version 10.2.828

    When I run route , the command hangs (I can run `route -n`)


    DNS resolution is fine and my /etc/resolv.conf is being set properly.


    Windows users are fine.

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @thomasuebel

    Did you try to connect NetExtender in CLI? if its not please try.

    Please notice that one can invoke NetExtender by the command NetExtender and provide the parameters interactively. Alternatively, the parameters can be supplied in line with appropriate switches: -u (user name) -p (password) -d (domain).

    Invoking NetExtender from the CLI. A successful connection provides a list of remote subnets accessible. Please notice that Control-C terminates an SSL-VPN session.

  • DeuceqDeuceq Newbie ✭

    Having the same problem also. Mine is affecting both Windows and Linux clients however. Seems as if once over a certain amount of clients have logged in then the internet will no longer work for new clients connecting.

    Initially thought it was limited to our Linux users but one windows user has now come forward also with this issue. They connect fine to the Netextender but have no internet.

    I have tried connecting via CLI still the same issue

  • AlbertoAlberto Enthusiast ✭✭

    Have you install linux "net-tools" ?

  • DeuceqDeuceq Newbie ✭

    Yes I have net-tools installed. Some more information after testing.. It seems as if the first 5 clients to log in to the sonicwall SSL VPN are fine regardless of operating system. We have 15extra SSLVPN licenses. Everything was working fine until about a month ago now for years. All of a sudden when the 6th person logs into the SSLVPN then they lose all internet connection. Can only ping internally once and then it errors out. Cannot access any website. Cannot ping any website. Once we disconnect from Netexdender then everything is back to normal. Maybe I should open my own case re: this as the fruther it goes the more complex it gets.

  • AlbertoAlberto Enthusiast ✭✭
    Which unit do you have? NSA firewall? updated firmware?
    only on linux clients ?
    problems with other client like windows, android ?
    


Sign In or Register to comment.