- Last updated
- Save as PDF
This article breaks down the troubleshooting steps to take when a user(s) is unable to access resources across a Client VPN tunnel. Some steps include investigating DNS resolution, IP address configuration for VPN, NetBIOS names, etc.
For troubleshooting issues accessing network resources while connected to VPN.
General Troubleshooting
If you are connected to the VPN but cannot access resources, a common cause is due to subnet overlap between the local client network and the network the resource is in. If the local network you are on has the same IP addressas the network you are trying to get to,your request will never make it through the tunnel. To validate this, test with the full tunneling option to see if it makes a difference.
Additionally,end usersmay report that they are unable to map network shares over the client VPN tunnel. This could be potentiallycaused by a layer 7 firewall rule configured to block file sharing. Check the layer 7 firewall rules underSecurity & SD-WAN>Configure > Firewall > Layer 7.
Also, check any group policies that are applied to the target resource to ensurefile sharing is not blocked in the group policy.
Accessing resources overthe tunnelviaIPvs. DNS
If you are unable to access resources via domain name (DNS), try accessing via IP. If you succeed in accessing via IP, it could be a DNS issue. Try to resolve the DNS host name and confirm if the public IP of the MX is being returned. If you are unable to resolve the DNS host name,check the local DNS settings.
Note:It is possible to apply group policies to clients connected via client VPN.If a resource isn't pingable or a particular application isn't working, it would be a good idea to check theclientdetails pageto see if any group policies have beenapplied.For more help on assigning or removing group policies applied to a client, refer to theCreating and Applying Group Policiesdocument.
Note:that Microsoft's Windows firewall typically blocks communication from unknown private subnets by default.
Resolving NetBIOS names over client VPN
Windows hosts utilize NetBIOS-based name resolution to locate Windows file and print shares located on other Windows hosts. A NetBIOS name syntax appears as "MYCOMPUTER" and is normally seen in UNC paths such as \\MYCOMPUTER\myfileshare\.
NetBIOS name resolution is a layer 2 broadcast-based name discovery protocol. Layer 2 broadcasts do not traverse layer 3 boundaries such as the client VPN interface on an MX.
WINS is a service that provides centralized name resolution of NetBIOS hostnames. NetBIOS clients register their hostnames on the WINS server and other NetBIOS clients query the WINS server to resolve NetBIOS names.
To allow hosts that utilize NetBIOS names to find network resources over client VPN, specify the IP address of a WINS server in the client VPN configuration. This is done using theWINSsetting on theSecurity & SD-WAN >Configure > Client VPNpage.
In the screenshot below, the specified WINS server is192.168.1.100:
