GVC

Troubleshooting Common Issues with Global VPN Client (GVC)

GVC Troubleshooting has three areas of focus:

IKE negotiation
Does the tunnel pass traffic?
Are firewall rules configured properly?

IKE Negotiation
Automatic transfer of the Group VPN policy to the client eliminates most user entry error and authentication
errors are obvious. All that remains is validating the SonicWALL WAN IP address configured as the gateway
on Global VPN Client, the Group VPN SA is enabled and no network problems are stopping the IKE UDP 500
traffic. Check the following areas to ensure the required network traffic is able to pass between the Global
VPN Client and the SonicWALL:
1. On the SonicWALL, verify DHCP over VPN is configured correctly on the VPN > DHCP over VPN
page.
2. It may be necessary to explicitly open the following services on an upstream firewall or router inbound
to the IP address of the GVC user:
o IKE: UDP 500
o IPSec ESP: IP Protocol 50 (IPSec Pass Through on many devices)
3. In some cases, the IPSec Pass Through feature on an upstream router may interfere with the
discovery process used to determine the need for NAT Traversal. Disable this feature on the
upstream device and try again.
4. On Global VPN Client, select File > Properties > Peers, click Edit for your SonicWALL's WAN IP
address, force NAT Traversal active and try making the connection. If this does not work, force NAT
Traversal inactive and try again.
5. Verify your ISP is not blocking IPSec. Some ISPs block IPSec for residential class service.

Tunnel Passing Traffic

The tunnel can pass traffic if the SonicWALL Virtual Adapter can receive a LAN IP address. Typical
implementations use Virtual LAN IP, but WiFiSec may not. Check the following areas if Global VPN Client
connects, but no traffic passes over the tunnel:

If any software firewalls or security suites are enabled on the computer running GVC, ensure they are
configured to permit execution of Global VPN Client and that IPSec (Protocol 50), IKE (UDP 500) and
UDP 4500 traffic is allowed inbound. As a short term test, try disabling such software and attempt the
GVC connection. If it works, the issue can be isolated to the additional security software.
The issue may actually involve an inability of Global VPN Client to obtain an IP address using DHCP
over VPN. See the Virtual IP Issues technical note for details.
Verify your ISP is not blocking IPSec. It may be possible to establish the IKE (UDP 500) connection,
yet the actual IPSec traffic may still be blocked. Check with your ISP to make sure IPSec (IP Protocol
50) or IPSec Encapsulation (UDP 4500) are supported. Some ISPs block IPSec for residential class
service.

Firewall Access Rules and VPN Access Restrictions

In SonicOS Enhanced, firewall access rules are applied to VPN traffic. Follow these steps to check, and
adjust if necessary, the rules affecting VPN traffic:
1.
2.
3.
4.
5.

Select Firewall > Access Rules

Select the intersection from the VPN to the LAN zone.
Check for a rule allowing this traffic. Create or edit this rule as needed.
Select the intersection from the LAN to the VPN zone.
Check for a rule allowing this traffic. Create or edit this rule as needed.

SonicOS Enhanced also provides the facility to permit or restrict VPN client access to your network for
specific users or groups of users. Follow these steps to check, and modify if necessary, the users and groups
permitted on your LAN:
1.
2.
3.
4.

Select Users > Local Users or Users > Local Groups.

Click the edit icon for the user or group in question.
Select the VPN Access tab.
Modify the allowed address group, network or range objects representing the network segments to
which the VPN client users are permitted access.
5. Click OK.

Additional Troubleshooting Steps

If you are continuing to experience trouble at this point, check these additional areas:

Ensure your SonicWALL is licensed for GVC and VPN in mysonicwall.com. You may not yet have a
Global VPN Client license. For example, a TZ 170 10 node appliance is not supplied with a global
VPN client license out of the box. It would be necessary to purchase a license in order to be able to
use a GVC connection. You may check the licensing on your SonicWALL under the Security Services
> Summary page, or log into your mysonicwall.com account.
Make sure the SonicWALL appliance is synchronized with mysonicwall.com. You can synchronize
your SonicWALL by clicking on the Synchronize button on the Security Services > Summary page.
Check to be certain VPN support is enabled on the firewall. This should no longer represent a
common issue, especially on appliances running SonicOS Enhanced or Standard firmware. Select
Security Services > Summary and make sure VPN is licensed.
Select VPN > Settings and make sure the GroupVPN policy is enabled on the SonicWALL.
The SafeNet client should not be installed alongside Global VPN Client on the same computer.
Make sure the operating system on the computer and the SonicWALL meet the basic requirements to
run the Global VPN Client. The computer must be running Windows 2000 or XP. The firmware on the
SonicWALL must be version 6.4.2.0 or higher, SonicOS Enhanced or SonicOS Standard.
If GVC is attempting to reach host names, enable NetBIOS (Windows Networking) support on the
Advanced tab of the GroupVPN policy.