VPN - Ping Troubleshooting

Jeff_ATS
Jeff_ATS Posts: 8
First Anniversary First Comment
edited April 2023 in Security

My L2TP VPN is up and running fine, I can connect to everything I need on the host network (192.168.1.0). I use a LAN Messenger that cannot see the client network 192.168.20.0.

I can ping from my client 192.168.20.220 to the host network without issues, but not the other way.

I do notice that my client shows a gateway of 0.0.0.0

Accepted Solution

  • Jeff_ATS
    Jeff_ATS Posts: 8
    First Anniversary First Comment
    Answer ✓

    I have finnaly narrowed down the issue, the LAN Messenger we use will not function with NAT/SNAT.

    I added the route policy back in and my RDP session work fine again. No dropped messages in the log files.

    Thank you for your support.

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Jeff_ATS

    Welcome to the Zyxel community. We're here to assist you with the issue you're experiencing. To better understand your situation, could you kindly provide us with the following information:

    1. Is your main problem that L2TP VPN clients are unable to access the LAN domain 192.168.20.X?
    2. What are the IP ranges for LAN1, LAN2 (or other VLANs), and L2TP IP?
    3. Please share screenshots of the policy route, security policy, and L2TP VPN settings with us. Examples are shown below:

    Policy Route

    Security Policy: the below are IPsec related policies

    L2TP VPN settings:

    Thank you in advance for your cooperation. We look forward to assisting you further.

  • Jeff_ATS
    Jeff_ATS Posts: 8
    First Anniversary First Comment

    The L2TP VPN is working perfectly. It allows remotes users to RDP to local servers and map network drives.

    1. I use a LAN Mesenger application that I am trying to get working trough the VPN. Again , the LAN Messenger would be a nice to be working, the VPN is doing wjat I want it to do.

    From a client (192.168.20.221) , I can ping anything on the host LAN (192.168.1.0) but from the host side, I cannot ping the 192.168.20.220 - 192.168.20.235 range.

    The

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Jeff_ATS

    Thank you for your update. Could you please check whether the firewall settings on your Windows PC are disabled? Thanks.

  • Jeff_ATS
    Jeff_ATS Posts: 8
    First Anniversary First Comment
    edited April 2023

    Thank you for your help. The VPN is working fine, but I have a need to be able to ping from both directions

  • PeterUK
    PeterUK Posts: 2,704  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2023

    I think you might need to rethink your network layout? most of the problem will be that 192.168.1.199 has gateway 192.168.1.1 if this was 192.168.1.251 then it will likely work. So 192.168.1.199 VPN to 192.168.1.251…

    …unless this is some type of Asymmetrical Route which are hard to get hard

    if you disable the flex firewall does it work?

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hello @Jeff_ATS

    Many thanks for sharing the detailed information with us. It could be a routing-related issue from L2TP client to the internal lan host. Could you provide a remote Web-GUI link to us for further checking purposes? We will send an e-mail to you later, please check your e-mail inbox. Thanks.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hello @Jeff_ATS

    Ok, thanks for your update. We have noticed that there is a policy route that could impact the L2TP client's SNAT behavior, as shown below:

    Could you please remove this policy route and try again? You can use our Wizard to create an L2TP VPN connection via expert mode this time, as shown below:

    Thanks.

  • Jeff_ATS
    Jeff_ATS Posts: 8
    First Anniversary First Comment

    I did as outlined above and I am now able to use my LAN Messenger, however, the ability to RDP from the clients no longer works. May be I can add a route specific to my three RDP servers (192.168.1.00, 192.168.1.99 and 192.168.1.151) they would need to be reacahble from 192.168.20.220 - 192.168.20.235)

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,059  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Jeff_ATS

    We noticed that you are still using EZMODE_VPN_L2TP. Please inactivate it and activate RemoteAccess_L2TP_Wiz to see if LAN Messenger and RDP sessions work for you.

    If it still doesn't work, please go to Monitor > View Log to check if there are any blocked messages or matched default rule drop messages for the IP range 192.168.20.220 - 192.168.20.235 that might be preventing access to internal LAN hosts(192.168.1.99, 192.168.1.151). Thanks.

  • Jeff_ATS
    Jeff_ATS Posts: 8
    First Anniversary First Comment
    Answer ✓

    I have finnaly narrowed down the issue, the LAN Messenger we use will not function with NAT/SNAT.

    I added the route policy back in and my RDP session work fine again. No dropped messages in the log files.

    Thank you for your support.

Security Highlight