Airport time capsule / Sonicwall VPN Compatibility

Ok.. There are definitely issues with the TC. Unfortunately we are given so little in terms of router controls and logging that discovering the problem is near impossible and fixing it more so.

Apple designed the airport routers long before fibre became popular and there are issues for lots of people.

IPv6 can also be part of the problem.. and Cox is well known for having issues with airports.

But the Airport itself also has WAN port issues with some modems and routers. There are just too many variables.. the TC can sit nicely in your network as Wireless Access Point. It will still do Time Machine backup.. although the setup for that can be tricky. The express can still extend.

Main thing is to get your VPN running.

The modem is an AT&T fiber modem (no longer w/ cox). It's an ARRIS BGW210-700

Ok, that "modem" is actually a combination modem and wireless router. If you have the Time Capsule (TC) connected to it by Ethernet AND the TC is still in its default configuration ... a wireless router, you have two routers in series which is known as a "Double NAT" condition. In order for your VPN client to communicate to the Sonicwall VPN, it would have to navigate through both of those routers.

Typically, you would want the downstream router, in this case the TC, to be reconfigured as a bridge. This will disable the TC's NAT service and remove the Double NAT condition. With this done, only the Arris gateway device would require to be configured for the VPN client for opening the appropriate port to use SSL VPN. That should be TCP port 443.

To reconfigure the TC as a bridge, you would use the AirPort Utility, as follows:

• Run the AirPort Utility.
• Select the TC, and then, select Edit.
• Click on the Network tab.
• Change the Router Mode option to: Off (Bridge Mode)
• Click on Update, and allow the TC to restart.

Also, please see additional comments from my network engineer: "The only difference is that instead of blocking request what looks like is happens is after the SonicWALL VPN client sends the ACK to the SonicWALL it responds back and there is no answer form the client when it is behind the Airport for about 80 packets. It eventually starts respond again but cannot connect."

Yes, this would be typical of having the VPN client behind two NAT firewalls. Feel free to pass on what I provided you about the double NAT condition.

What is the make & model of your Cox-provided cable modem? Which exact model is your Time Capsule base station? Finally, what type of VPN service does the connection use between the VPN client and the Sonicwall VPN network appliance: IPSec, GRE, SSL VPN, etc.?

Yes, it should. The Apple base stations, to the best of my knowledge, only had issues with VPNs that used the IPSec security protocol ... which are typically used with L2TP type VPNs ... even though Apple claimed that they do support IPSec as a passthrough device. Regardless, that does not pertain to SSL VPNs that is used by the Sonicwall appliance.

We actually put the ARRIS in Bridge mode so TC gets a public IP on WAN side... should this work?

I would put the ARRIS back to router mode and put the TC in bridge and see if you have the same issue.. If it works that way just stick with it..

The TC can be difficult at times.