Little Network with Two USG
Hello Community,
I have a little trouble that drived me crazy since some days.
I have a test enviroment, that i want to replicate in a customer enviroment in the future.
I have:
1 Zyxel USG FLEX100
1 Zyxel USG 20 (I know that it is so old and obsolete but i use only for lab enviroment)
1 Switch Brocade, use for test enviroment.
My test lab is to create a VLan (Called Vlan33),use the default LAN 192.168.1.x,and configure everything so that can reach every device in the LAN and VLAN33, and LAN and VLAN33 can communicate.
So, my enviroment is:
The Zyxel USG FLEX 100 have an IP Address on LAN1 192.168.1.1 and it is the Gateway for VLAN33 (IP 192.168.33.1). Also it is the DHCP Server for VLAN33
The Zyxel USG 20 have IP Address on LAN1 192.168.1.2 and have a IP on VLAN33 (192.168.33.18), the Gateway is the USG FLEX 100
The Switch brocade, have an IP Address 192.168.33.15, work perfectly, and the port is correctly TAGGED/UNTAGGED on VLAN/LAN and rightly.
I have connect, the two firewall to the switch Brocade, and i have connect my pc to one port of the switch, Untagged on VLAN33. I can take an IP on VLAN33 (192.168.33.50 in this case) and everything works fine.
In Each firewall i have check the checkbox "ENable Policy Control) (in the USG 20, that is old, hav eonly the VOice Firewall)
I leaved the default Policy Control Rule (LAN1_to_Outgoing) and add VLAN33_to_Outgoing in both firewall
So, the problem is:
When i connect to the VLAN33 through the switch, i can ping the three devices correctly (192.168.1.1 192.168.1.2and 192.168.33.15), i can reach the webpage of 192.168.1.1 and 192.168.33.15 BUT i cannot reach the WebPage of 192.168.1.2.
This is the ping:
And, this is the netstat -an when i try to connect in the Webpage of 192.168.1.2:
BUT after few try, IF i disable the Policy Control of 192.168.1.1 (USG FLEX100) and leaving enable (or disabled is the same) the Policy COntrol of 192.168.1.2 (USG 20), i CAN reach the WebPage. If i enabled again the Policy Control of USG FLEX100 i cannot reach again the webpage of 192.168.1.2….
Guys, what i missing??
EDIT: This is a LOG from 192.168.1.1 when i try to reach 192.168.1.2:
All Replies
-
Usually a triangle route issue if multiple Stateful firewall as router in the same subnet.
Enable “Allow Asymmetrical Route” option in policy control page. On both USG20 and USG FLEX firewall.
0 -
Hi @Alby_Mat
It should be a triangle route problem, you can enable “Allow Asymmetrical Route” option on USG Flex100 and USG20 to avoid this problem. Thanks.
See how you've made an impact in Zyxel Community this year!
0
Master Member
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
