Is it true SonicWall GVC genuinely cannot support LAN-initiated traffic to a connected GVC client virtual IP?
Is it true SonicWall GVC genuinely cannot support LAN-initiated traffic to a connected GVC client.
Remotehost can ping Lanhost, but Lanhost and cannot ping the virtual IP of remotehost.
The tech said: GVC is client-to-server only, LAN can't initiate to a GVC client without site-to-site. Is that a fundamental mischaracterization of IPSec? — SAs are inherently bidirectional. The reason LAN→GVC reverse traffic works in countless other SonicWall deployments is exactly that.
What the packet monitor actually shows is a **routing failure, not a tunnel-direction failure**:
- "in X0, out --, Initiator Route: None / Responder Route: None — dropped before policy"
- That means the firewall did a route lookup for 192.168.3.x(virtual IP), found only the X4 connected route, tried to forward via X4, and there was no usable next hop (link-down → no ARP). It was never an SA/tunnel decision.
Should I Push back. Ask them specifically: "Per packet monitor, the drop reason is 'no route', not an SA/policy decision. Why does SonicWall publish an interface-independent DHCP scope option for GVC if LAN→GVC is impossible by design?"