SSL VPN NetBIOS issues
Hi everyone,
I know I'm coming back to a common issue but I can't find any solution to my problem.
All I want to is being able to use an SMB network share over an SSL VPN (USG Flex 100). I can reach it by using the IP address but not the machine name.
As advised on this forum I used Wireshark to see if the name resolution is correct and yes it is : the machine I try to reach gives its IP back correctly.
In my test, the machine name is "secretariat" and its IP address is "192.168.2.34".
So \\192.168.2.34 works but not \\secretariat. Error code is 0x80004005 (unspecified error).
Any idea of what goes wrong ?
Thanks a lot
Sébastien
I know I'm coming back to a common issue but I can't find any solution to my problem.
All I want to is being able to use an SMB network share over an SSL VPN (USG Flex 100). I can reach it by using the IP address but not the machine name.
As advised on this forum I used Wireshark to see if the name resolution is correct and yes it is : the machine I try to reach gives its IP back correctly.
In my test, the machine name is "secretariat" and its IP address is "192.168.2.34".
So \\192.168.2.34 works but not \\secretariat. Error code is 0x80004005 (unspecified error).
Any idea of what goes wrong ?
Thanks a lot
Sébastien
0
All Replies
-
I think you can reference this similar thread
https://businessforum.zyxel.com/discussion/4816/resolving-lan-hostnames-when-connected-in-host-to-host-vpn
Enable NetBIOS broadcast over SSL VPN Tunnel, so the scenario could work.0 -
Hi Jeremylin,
Thank you for your answer.
This thread doesn't answer my question but yes it is the same exact problem but in my case it's about SSL VPN not IPSec.
NetBIOS broadcast is enabled and the destination machine is well resolved (see the packets captured by wireshark).
On premise I can reach the machine by its name (\\secretariat) but not over the VPN despite I receive a packet with the right IP address of destination. And \\to-the-ip works !
Any idea ?
Sébastien0 -
@sebastian
Firmware v4.39Topology:PC1(192.168.10.36)----USG----SSL VPN----PC2(10.214.48.65)
On SSL VPN page, select Zywall as DNS server, and check NetBIOS broadcast over SSL VPN Tunnel.
Go to DNS to create a PTR-Record:PC hostname with IP address.
After the tunnel is built up, enter \\PC1_hostname on PC2.0 -
@Zyxel_Charlie,
I agree with you but this is just a workaround to this issue. I don't want to use fixed IPs to avoid conflicts and your solution impose me to do that. There are a lot of machines sharing the content over the LAN which should be reached by their respective name without the use of a DNS just as it works inside the LAN. Why doesn't it work with a USG well configured ? See my packet capture, I receive the right IP address (NetBIOS protocol) but it doesn't work.
I just configured an OpenVPN connection on a customer machine and it works just as if he was on the LAN. Open source software works but not Zyxel hardware this is sad because it should be better.
Could it be a SecuExtender bug ? SMBv3 restrictions (computers are Windows 10 clients) ?
Regards,
Sébastien0 -
I think you need to build Win Server, since the netbios broadcast traffic will not pass through a vpn, so you would need to switch to NetBIOS over TCP.
The topic has been discussed numerously from internet, you can check this article.
https://community.cisco.com/t5/vpn/netbios-over-vpn/td-p/1192539
0 -
since the netbios broadcast traffic will not pass through a vpn
Why is there an option which is called "NetBIOS broadcast over SSL VPN tunnel" then ?
The wireshark packet capture (see my first post) shows that I can get the destination IP so the broadcast works, am I wrong on that point ? I would understand if I got not response or an error but yes the name is well resolved.
I've read the article talking about this, and I can confirm that NetBIOS over TCP is active.
Regards,
Sébastien0 -
@sebastian
FW: v4.60
PC1(192.168.1.34)----USG----SSL VPN----PC2(10.214.48.65)
On SSL VPN page, check NetBIOS broadcast over SSL VPN Tunnel.
Configure SUBNET on assign IP pool.
After the tunnel is built up, enter \\PC1_hostname on PC2, and it's working.
Packet capture on Lan interface
You would notice that first, you need to configure Subnet on Assign IP Pool. Second, type
"net use * /del /y" on cmd to clean the patch cache, and skip the special character of hostname.
If the scenario is still failed, you may build Win Server which Jeremylin mentioned.
0 -
Hi Zyxel_Charlie,
Sorry for the delay, time is going to fast ! And thank you for trying to resolve this case.
My configuration seems correct, please have a look.
NetBIOS broadcast works because I can capture the packets with Wireshark as you can see in the screen capture in my first post. And I get something very similar to you when capturing the name query and name query response.
I will try setting up an L2TP/IPSec connection maybe will it work.
Thanks
Sebastien
0 -
hello i have similar issue
When connectin through VPN SSL, i can reach pc's share like \\server but with any machinei try to connect via RDP the fqdn name dont work, i get impossibl to connect error. WHile using rdp with IP works well0 -
When you connect RDP with FQDN, it will go for DNS resolve instead of NBNS query.You may check if the client can resolve FQDN from given DNS server.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 238 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight