Announcement

Collapse
No announcement yet.

site to site VPN issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • site to site VPN issues

    We have two offices, these are connected via a site to site vpn that has been up and working for years. Just recently users began having issues connecting from the US office to servers in the Israel office. We first noticed it when having issues connecting to a web url that is in the Isreael office.

    We can connect to the url from home or from a phone but not from inside our US office, then it times out. However we found that if we are in the US office and connect to the VPN to the US office the web to this site connects fine. If the VPN is disconnected the connection to this url is gone.

    The VPN uses the same gateway, the same DNS servers, it is on the same internal network. I can resolve by IP using nslookup the server, I can ping the server, but from my office I cannot connect to it. We have rebooted both firewalls (in each office) and still it will not connect.

    Any ideas on what might be blocking it? I feel like we have tried everything (but I'm guessing that is not true).

    Thanks,

    Vuotto

  • #2
    Re: site to site VPN issues

    check some tracert thru the tunnel and see if something changed.

    sounds very DNSish, but you say its resolving fine. what about an nslookup with server equal to the VPN DNS server, then trry to resolve host name. are you trying to connect via host name/URL or via an IP? try to connect via IP instead...
    its easier to beg forgiveness than ask permission.
    Give karma where karma is due...

    Comment


    • #3
      Re: site to site VPN issues

      Have you compared the DNS server setup in the Israel Office with that of the DNS server in your US office?

      Have you restarted the DNS service on the US office since the issue began?
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: site to site VPN issues

        I just restarted the DNS server, so DNS services have just restarted. We're actually seeing this same issue weather we try by using the URL or the IP which makes me think maybe it is a protocol or port issue. The strange thing is we had 1 laptop in the office that was working the whole time and never had the issue at all even though it is going through the same gateway.

        Since this web site is available on the internet and works fine there should it matter if the DNS in the other office is different?

        Comment


        • #5
          Re: site to site VPN issues

          I recently had an issue where all clients on a network were unable to connect to the Internet, but on one client it could connect to, and navigate just one web site. Running ipconfig /flushdns caused that (cached) site to be removed. Restarting the DNS server fixed it.

          A year or so ago we experienced a problem where some web sites were accessible but others were not. I had to add our ISP's DNS servers IP addresses in the forwarders section of the local DNS server's configuration before those few web sites were accessible again.

          Sometimes comparing the settings/records can help determine what the issue may be.
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment


          • #6
            Re: site to site VPN issues

            I found no changes with DNS, WINS or firewall status in either of our offices, then after the weekend it when I came to the office On Monday it worked fine. It was working fine all day long on Monday and now, on Tuesday it is back to the same. I can only get to http:// sites in the other office if I am using VPN. Without VPN I can only get to non http sources there. Without VPN and outside of the office I can get to these http pages fine.

            I'm wondering if something is different between vpn and LAN inside. Both use the same gateway and the same DNS, both give IPs from the same DHCP server. Why is one blocking http to this location and the other is not? I'm doing a capture with wireshark and on the VPN connection I just see encapsulated data and compressed data I dont' see the http traffic. Could it be that something blocks http and when it is encapsuled via VPN it does not see the protocol?

            Comment


            • #7
              Re: site to site VPN issues

              I found no changes with DNS, WINS or firewall status in either of our offices, then after the weekend it when I came to the office On Monday it worked fine. It was working fine all day long on Monday and now, on Tuesday it is back to the same. I can only get to http:// sites in the other office if I am using VPN. Without VPN I can only get to non http sources there. Without VPN and outside of the office I can get to these http pages fine.

              I'm wondering if something is different between vpn and LAN inside. Both use the same gateway and the same DNS, both give IPs from the same DHCP server. Why is one blocking http to this location and the other is not? I'm doing a capture with wireshark and on the VPN connection I just see encapsulated data and compressed data I dont' see the http traffic. Could it be that something blocks http and when it is encapsuled via VPN it does not see the protocol?

              It does the same weather I use IP or host name. If I run nslookup via ip or name it resolves fine. If I run tracert on VPN I go to the VPN server, then to the gateway, then it times out, and the next line takes me to the server.
              Without VPN My tracert goes directly to the gateway then times out and then on the next line it hits the server.

              Comment


              • #8
                Re: site to site VPN issues

                Something must be triggering it. Something is happening to turn resolution off. Do you have any software or an appliance that is designed to block access to web sites if a threat is detected?

                The network I use is very simple so I don't have experience of an environment like yours. However, there must be a trigger causing this.

                Does the laptop that was not affected use the same security software?

                I'm just clutching at straws here.

                Earlier you said it was just a web site that was hosted at your Israeli office that was affected, but now it appears to affect all http traffic - is that right?

                Have you tried disabling IPv6?

                When the site is not accessible on a client try running ipconfig /displaydns to see if an entry exists on that client. Also, have you tried ipconfig /flushdns

                Perhaps the DNSCache is somehow stale or corrupted. I don't know how much you know about this but it may be worth reading up on it with a view to adjusting the settings.
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  Re: site to site VPN issues

                  I've tried flushing DNS on the DNS server and on the client. It is http:// but only to our other office. Http anywhere else works fine. I think it is possible that for some reason the firewall is viewing this traffic as a threat and shutting down access, either their firewall or ours. I'm looking through the logs to see if I can come up with any errors.

                  Comment


                  • #10
                    Re: site to site VPN issues

                    If you are unable to determine the issue you should explain exactly how the web site on the Israeli site is set up, how your VPN is set up both on the client and the server, the security devices/software you use and how your Internet access is configured. Is it a standard DNS setup? Are proxies involved? etc etc
                    A recent poll suggests that 6 out of 7 dwarfs are not happy

                    Comment

                    Working...
                    X