VPN Split Tunnel traffic Issues

Hi all-

Hoping for some help with an ASG320 running UTM9 9.3x software. Recent setup, running VPN remote access PPTP in a windows environment. 

The current setup is using the UTM9 as a firewall/network protection. VPN currently works, but I cannot get split tunnel traffic to work correctly. When connected to the VPN, in a non-split tunnel environment, I get a default gateway on the VPN connection of 0.0.0.0 and everything seems to work (RDC, local domain DNS resolution before reaching external - DNS is being handled by a windows DNS server). When I run split, I'm not getting assigned a default gateway at all on the VPN connection, and cannot access network (VPN resources). Currently, I have the UTM9 pointing DNS to my DNS server, then to Google as a secondary (even though my DNS server reaches to Google for DNS if internal cannot be resolved). 

The only reason I point to the UTM9 first is that this identical setup worked prior to being migrated to a new site with the UTM9 as a firewall device. Is there a default gateway setting I'm missing somewhere?

 

Cheers,

  • Hi Aaron,

    Can you show us the picture of the VPN PPTP policy configurations? Also, verify if the firewall rules are defined for the LAN-VPN communication.

    Thanks

  • In reply to sachingurung:

     

    I have a rule that allows VPN access to the internet, during initial testing that was an issue. We also have a temporary ANY-ANY-ANY rule for testing, turning it on does not resolve the DNS issues, and actually prevents access from the VPN to the firewall altogether (and still directs internet traffic through the tunnel). 

     

    arghhh!

  • In reply to Aaron Becker:

    Hi Aaron,

    Does configuring a Masquerading rule as VPN SSL Pool to the internal network help?

    Thanks

  • In reply to sachingurung:

    I'll try setting that up, tonight. I'm working on VPN today and don't wanna accidentally lose remote access by mistake.

  • In reply to Aaron Becker:

    Sure, take your time and let us know once you implement the changes.

    Thanks

  • In reply to sachingurung:

    Hi,

    No luck. Here is some additional information:

    I tried making a masquerading rule VPN_POOL>LAN, with no help. To verify the firewall wasn't blocking anything, I opened up the ANY-ANY-ANY testing rule, still no luck. 

    Additionally, I am still having an DNS issue with accessing local resources on the VPN. Previously, in RDC or a ping test, I could type SERVERNAME01 and it would find the machine/drive. Now I must specify SERVERNAME01.DOMAIN.COM in order to access the machine, ping it, resolve DNS, etc. I suspect this is an issue of the DNS server not passing the information back to the VPN client, but the IP is pingable, just not resolvable without the .DOMAIN on the end.  

  • In reply to Aaron Becker:

    It's always a good idea to use a picture instead of a description, Aaron.  Did you mean 'VPN Pool (PPTP) -> External'?

    Is there a reason you didn't add WINS to the 'Advanced' section in 'Remote Access'?  How does your configuration differ from DNS best practice?

    Cheers - Bob

  • In reply to BAlfson:

    I'll post some screenshots later, sorry about that. I appreciate your help. 

    I was not aware of the DNS Best Practice link, I tried following it, but still seeing similar problems. It appeared to be working, but then local machines lost DNS services. I'll have to t-shoot on site, later. 

     

    Thanks,

  • In reply to Aaron Becker:

    I had a similar issue that was resolved by setting up masquerading rule for the VPN Pool -> Internal and VPN Pool -> External. As well as firewall rule for the VPN Pool. 

  • In reply to Ibrahim Jabado:

    When you need 'VPN Pool -> Internal', it's usually because some Host/Network definitions violate #3 in Rulz.

    Cheers - Bob

  • In reply to BAlfson:

    So, looking into the DNS issues a bit more here (I reviewed the DNS best practices again)... I'm still struggling to get the domain.com to add to the end of DNS queries while on VPN. 

    I've set up the DNS proxy as instructed in the DNS best practices document, but have not changed my internal DNS server to look to the UTM before Google DNS. My current DNS while on the VPN on my workstation shows DNS at my DNS Server, then Google.

    Bottom line I'm not getting a "Connection specific DNS suffix."

    What can I provide to help you help me?

  • In reply to Aaron Becker:

    Have you configured 'Remote Access >> Advanced'?

    Cheers - Bob

  • In reply to BAlfson:

    BAlfson

    Have you configured 'Remote Access >> Advanced'?

    Cheers - Bob

     

     

    Yes. DNS is set the same as my DHCP server settings for DNS, WINS is not configured, and domain name has the appropriate domain. 

  • In reply to Aaron Becker:

    Okay, so I seem to have the split-tunnel aspect working, but still have an ongoing DNS issue. 

    The split-tunnel "works" but now I am unable to access local resources while on the VPN (while in a split-tunnel configuration). When I am on "split tunnel" - I am unable to ping anything beyond the firewall (but I can access it, check the logs, and see no dropped traffic from the VPN). 

    I cannot manually ping my DNS server, DHCP server, only the firewall. Any hail-mary passes here?

  • In reply to Aaron Becker:

    If things work correctly after you make a Masq rule like 'VPN Pool -> Internal', then that will prove that you've misconfigured something.  In that case, check #3 through #5 in Rulz.  Any luck with that?

    Cheers - Bob