Unable to Access Resources When Connected to VPN
For troubleshooting issues accessing network resources while connected to VPN.
If you are connected to the VPN but cannot access resources, a common cause is due to subnet overlap between the local client network and the network the resource is in. If the local network you are on has the same IP address as the network you are trying to get to, your request will never make it through the tunnel. To validate this, test with the full tunneling option to see if it makes a difference.
Additionally, end users may report that they are unable to map network shares over the client VPN tunnel. This could be potentially caused by a layer 7 firewall rule configured to block file sharing. Check the layer 7 firewall rules under Security appliance > Configure > Firewall > Layer 7.
Also, check any group policies that are applied to the target resource to ensure file sharing is not blocked in the group policy.
Accessing resources over the tunnel via IP vs. DNS
If you are unable to access resources via domain name (DNS), try accessing via IP. If you succeed in accessing via IP, it could be a DNS issue. Try to resolve the DNS host name and confirm if the public IP of the MX is being returned. If you are unable to resolve the DNS host name, check the local DNS settings.
Note: It is possible to apply group policies to clients connected via client VPN. If a resource isn't pingable or a particular application isn't working, it would be a good idea to check the client details page to see if any group policies have been applied. For more help on assigning or removing group policies applied to a client, refer to the Creating and Applying Group Policies document.
Note: that Microsoft's Windows firewall typically blocks communication from unknown private subnets by default.
Resolving NetBIOS names over client VPN
Windows hosts utilize NetBIOS-based name resolution to locate Windows file and print shares located on other Windows hosts. A NetBIOS name syntax appears as "MYCOMPUTER" and is normally seen in UNC paths such as \\MYCOMPUTER\myfileshare\.
NetBIOS name resolution is a layer 2 broadcast-based name discovery protocol. Layer 2 broadcasts do not traverse layer 3 boundaries such as the client VPN interface on an MX.
WINS is a service that provides centralized name resolution of NetBIOS hostnames. NetBIOS clients register their hostnames on the WINS server and other NetBIOS clients query the WINS server to resolve NetBIOS names.
To allow hosts that utilize NetBIOS names to find network resources over client VPN, specify the IP address of a WINS server in the client VPN configuration. This is done using the WINS setting on the Security & SD-WAN > Configure > Client VPN page.
In the screenshot below, the specified WINS server is 192.168.1.100: