VPN Split Tunnel traffic Issues

Hi Aaron,

Can you show us the picture of the VPN PPTP policy configurations? Also, verify if the firewall rules are defined for the LAN-VPN communication.

Thanks

I have a rule that allows VPN access to the internet, during initial testing that was an issue. We also have a temporary ANY-ANY-ANY rule for testing, turning it on does not resolve the DNS issues, and actually prevents access from the VPN to the firewall altogether (and still directs internet traffic through the tunnel). 

arghhh!

Hi Aaron,

Does configuring a Masquerading rule as VPN SSL Pool to the internal network help?

Thanks

I'll try setting that up, tonight. I'm working on VPN today and don't wanna accidentally lose remote access by mistake.

Sure, take your time and let us know once you implement the changes.

Thanks

Hi,

No luck. Here is some additional information:

I tried making a masquerading rule VPN_POOL>LAN, with no help. To verify the firewall wasn't blocking anything, I opened up the ANY-ANY-ANY testing rule, still no luck. 

Additionally, I am still having an DNS issue with accessing local resources on the VPN. Previously, in RDC or a ping test, I could type SERVERNAME01 and it would find the machine/drive. Now I must specify SERVERNAME01.DOMAIN.COM in order to access the machine, ping it, resolve DNS, etc. I suspect this is an issue of the DNS server not passing the information back to the VPN client, but the IP is pingable, just not resolvable without the .DOMAIN on the end.  

It's always a good idea to use a picture instead of a description, Aaron.  Did you mean 'VPN Pool (PPTP) -> External'?

Is there a reason you didn't add WINS to the 'Advanced' section in 'Remote Access'?  How does your configuration differ from DNS best practice?

Cheers - Bob

I'll post some screenshots later, sorry about that. I appreciate your help. 

I was not aware of the DNS Best Practice link, I tried following it, but still seeing similar problems. It appeared to be working, but then local machines lost DNS services. I'll have to t-shoot on site, later. 

Thanks,

I had a similar issue that was resolved by setting up masquerading rule for the VPN Pool -> Internal and VPN Pool -> External. As well as firewall rule for the VPN Pool. 

When you need 'VPN Pool -> Internal', it's usually because some Host/Network definitions violate #3 in Rulz.

Cheers - Bob

When you need 'VPN Pool -> Internal', it's usually because some Host/Network definitions violate #3 in Rulz.

Cheers - Bob

So, looking into the DNS issues a bit more here (I reviewed the DNS best practices again)... I'm still struggling to get the domain.com to add to the end of DNS queries while on VPN. 

I've set up the DNS proxy as instructed in the DNS best practices document, but have not changed my internal DNS server to look to the UTM before Google DNS. My current DNS while on the VPN on my workstation shows DNS at my DNS Server, then Google.

Bottom line I'm not getting a "Connection specific DNS suffix."

What can I provide to help you help me?

Have you configured 'Remote Access >> Advanced'?

Cheers - Bob

BAlfson said:

Have you configured 'Remote Access >> Advanced'?

Cheers - Bob

 

Yes. DNS is set the same as my DHCP server settings for DNS, WINS is not configured, and domain name has the appropriate domain. 

Okay, so I seem to have the split-tunnel aspect working, but still have an ongoing DNS issue. 

The split-tunnel "works" but now I am unable to access local resources while on the VPN (while in a split-tunnel configuration). When I am on "split tunnel" - I am unable to ping anything beyond the firewall (but I can access it, check the logs, and see no dropped traffic from the VPN). 

I cannot manually ping my DNS server, DHCP server, only the firewall. Any hail-mary passes here?

If things work correctly after you make a Masq rule like 'VPN Pool -> Internal', then that will prove that you've misconfigured something.  In that case, check #3 through #5 in Rulz.  Any luck with that?

Cheers - Bob

BAlfson said:

If things work correctly after you make a Masq rule like 'VPN Pool -> Internal', then that will prove that you've misconfigured something.  In that case, check #3 through #5 in Rulz.  Any luck with that?

Cheers - Bob

 

I created a Masq rule VPN-->LAN. Still unable to ping internal resources beyond the firewall.

Edit: from the split-tunnel VPN, I cannot even ping the LAN IP of the UTM. Does that provide any info?

That's the first you've mentioned pinging in a way that I've noticed it.  Pinging is regulated on the 'ICMP' tab of 'Firewall'.  The "Any" Service object includes only TCP & UDP, none of the other IP protocols.  Did that resolve your issue?

Cheers - Bob

BAlfson said:

That's the first you've mentioned pinging in a way that I've noticed it.  Pinging is regulated on the 'ICMP' tab of 'Firewall'.  The "Any" Service object includes only TCP & UDP, none of the other IP protocols.  Did that resolve your issue?

Cheers - Bob

 

Here's my ICMP config. Let me know if you see anything that would cause issues. Pinging works fine on the full-tunnel, just not on a split tunnel. On a split tunnel, all the traffic stops at the Firewall and cannot access VPN resources. 

Does doing #1 in Rulz give you any clues?

Cheers - Bob