Servers not seeing one another through VPN

[cderow]

Hello,
Recently, my primary Netware servers in our company headquarters had lost communications with a secondary Netware server in a remote location, then it had picked the connection back up, only to drop it again. This has been going around in circles for a while now. I originally thought it was solved when I changed a couple of server parameters, only to find out that it didn't fix the problem.

I am now suspecting my VPN. My VPN is connecting through a Sonicwall PRO at our headquarters and a Sonicwall SOHO/3 at our remote location. I am able to connect and ping to both firewalls from both locations. However, I cannot ping either server from behind the firewall at either of our locations.
When I try to ping the servers from the Firewall itself, it goes through, no problem. I have checked both firewall logs and they report VPN TCP SYN and VPN TCP FIN errors. I have checked all IP, DNS, and Gateway info as well as the VPN Configuration codes, to find nothing wrong. I am sure there is something I missed, any help is appreciated.

 

[John Lewis]

. . I cannot ping either server from behind the firewall . . .

Of course you can! Ping always works. May not do what you would like, but the specific message you recieve is important in troubleshooting this type of problem. Also try 'tracert xxx.xxx.xxx.xxx' to your servers.

I would suspect either a routing problem, or a problem with the binding of IPX/SPX. Report back the specifics of the ping/tracert. On another related note, are you sure the syn/fin errors are related to your traffic, or are they coming from another host? Possible intrusion/probing attempt?

 

[cderow]

I am sure that the syn/fin errors are related to my traffic. The log in the firewall reports that the IP addresses involved are my servers' IPs. I will report back my findings after running ping and tracert again.

 

[cderow]

I was able to grab the following info by doing a trace route.

Tracing route to [IP Address].client.dsl.net. Over a maximum of 30 hops.
1 200 ms 159ms 168ms [IP Address].client.dsl.net

Ping reported an average of 207ms.

Once again, my connection keeps going in and out, so I am, at some point, able to ping and do trace routes. However, when my servers loose the connection, I cannot ping from my servers. I can, on the other hand, successfully ping from the firewall. That's what I meant by not being able to ping from behind the firewall.

 

[vishuonline]

Hi all,

I am facing a similar problem..

My VPN connection is going thru between 2 machines.(Also both the machines are in the same physical network.) the client's routing table is getting updated(i can see it using.."route print&quot with the ip address of the server. The client is getting a new IP..fine..But the client is not seeing the internet and neither it is able to ping the server. i mean..it is not able to ping its new 'default gateway'..

can any one give me some pointers..i checked for any other packetfiltering or firewall services both on the server and the client side..nothing..it is clean and simple VPN between both the machines..

many thanks in advance..
Vishu

 

[EddieVenus]

cderow

your problem may be several problems at once. Or not. But since I mentioned it, I will explain. I think that you may have delay issues between the setware servers. IPX/SPX traffic is more sensitive than TCP/UDP I have noticed, though Novel people tell me otherwise. I have seen lines that are clean for IP pings and traffic, but totaly sporadic for IPX.

The overall speed may have something to do with it. It could be cloging the pipe, causing the remote end to think the line is down, thus causing it to not respond, assuming it even gets the packet to respond to.

Or, it could be due to delay, it could be timing out over IPX, especially if the IPX traffic has to be converted or redirected someplace. Also these 2 could be happening at the same time aggrevating each other.

It could be the VPN endpoints too, they may be overworked, though unlikely.

The tunnel itself may be unstable too. You should try to moniter that while conducting these tests, since a simple continous ping could show if any or all of these things are happening.

Then again, it could be the servers, they may just need servicing, though unlikely.

Do a whole battery of tests on the line itself from both ends, like speed tests.
Then on the tunnel, like continous pings to moniter stability.
Then on the servers to see if a NIC is malfuncioning.
Then on 2 other devices on opposite sides of the tunnel. Then on the traffic itself.
If you get no resolution, at least you will have a better understanding of your network and the components therin. Good luck.

You can also hire someone to do this all for you as well, but that costs money that no IT manger wants to spend if you can do it and all they have to pay is salary. let us know how it goes.

 

[EddieVenus]

Vishuonline

check your subnets, make sure they do not overlap. Make sure you do not have a class C and a class B. This will cause the result you see. There are other things too, but this one I have seen alot, and I like to try it first.

If that is not it, try hitting it with a hammer, though it may not fix things right away, it will calm you down to a point where your mind should just come up with the solution. Although the solution is useless now since you smashed it up. Maybe this is not the best way. try the subnets, that is less violent.