Issues with some printing over VPN

I manage a spoke-and-hub network of 30-some sites, almost exclusively with SonicWall routers. We recently brought in a new location, which had been using a UniFi gateway.

The new location’s network ended up being on the same subnet as one of our existing locations, so I re-did the existing location on a new subnet (less stuff to change) and updated the VPN. Everything is working fine for them.

I was able to get a VPN going to the new location, but found in the process of installing their printers on a central server that most of their printers would drop offline except for ping (but only over the VPN) for long periods. The printers would still work inside their building, and two would continue to be available over the VPN.

Much troubleshooting was done with the location’s network (Cisco managed switches) and router, which was eventually replaced with another SonicWall, but the issue persists. Before replacing the Unifi router, a 5-port unmanaged switch was placed between it and the rest of the LAN, and one affected printer was connected through it to bypass the rest of the LAN, but it still experienced the same issue.

The affected printers are all Brother units, plus two Epson receipt printers, on ethernet in the location’s network. No security is set in the printers or the switches. One printer was moved to their wireless network, with no improvement. A Toshiba E-studio and a Zebra label printer have no issues staying connected.

The affected printers are all on static IPs (assigned by the Unifi gateway first, now by the SonicWall), with the same gateway and DNS as the unaffected printers.

I’m at a loss as to what could be going on. It almost seems like there’s something in the VPN connection left over from the previously-conflicting store that’s causing issues, but I’ve cleaned up all the old rules and objects that referenced the IP range.

Edit: Thanks for all the suggestions. I ended up finding a post on Spiceworks with exactly the same issue and a solution. The main switch (an L3 Cisco) needed a default route set to point to the other subnet through the local gateway.

How are the printers configured on the clients trying to print? Are they connecting directly or via a print server? If direct, are they added as TCP/IP ports or for instance WSD printers? I’ve seen WSD printers not work over VPN, but adding them via a TCP/IP port they work right away.

disable snmp status on the printer’s port on its properties page.

right click printer, properties, ports, configure port

On the server they’re all set as TCP/IP ports. For clients in the building, they’re using WSD or whatever the Brother equivalent is, for the Brother printers.

It is, I never keep it enabled. But it’s not just SNMP traffic, the printers stop responding on port 80 for their internal web servers too.

Well, I would get rid of WSD printing. IMO that is the source of your problem.

This is correct, these types of protocols are UPnP and work using broadcast discovery, they wont find printers outside their own L2 broadcast domain unless you work in some form of relay/forwarding.

WSD is only being used inside the location, and works fine there. On the server that’s on the other side of the VPN, they’re all using the “Standard TCP/IP Port” setting, RAW protocol on port 9100, SNMP disabled.

Not licensed for it.

Are your remote clients printing direct to the printers or is it spooling on the print server too?

The clients in the building print directly to the printers, inside their network. No interaction with the VPN unless they connect to the application server (RDP) over the VPN and try to print.

You’re getting into a whole different ballgame now! It then comes down to whether the clients are bringing their local printers into the RDP session (redirection) or are using print mappings on the app server itself. That tells you where the print jobs are actually going from/to.

We don’t use redirection, they have to use the printer settings installed on the server. The application they are using on the server needs set printers for most functions so they’d be wasting huge amounts of time setting them over and over any time they get booted or log out and back in.

So all you need to care about is the application server, does the application server print directly to the printers or via a print server and if via print server is spooling on the server or direct print.

The application server prints directly to the printers.

It works fine for 8 other locations on VPN hosted on the same server, so it has to be something with the VPN connection or the network in the location, but I think the location’s network has been ruled out.

Just run a packet capture for the ip of the server and ip of one of the printers on the app server sonicwall and the remote printer sonicwall.

If its working sometimes it might be something to do with the size of the print jobs or something timing out waiting for the print.