USG210s Mesh VPN With 3 Of Them
Options
I have 3 USG210s setup in a mesh VPN. 2 are working great with bi-directional communications. The 3rd will not communicate with either of the other 2 unless I edit the default deny rule and set to allow. I have tried to create rules to allow the comms to no avail. I have never encountered an issue like this and have many site to site VPNs configured, all using the wizard for setup and work seemlessly. I have tore down both VPN connections on the unit and re-set them up to encounter the exact same anomaly. Thank you for any insight!
0
Accepted Solution
-
Ended up being a corrupted default vpn security policy rule.
Deleted, recreated, and all is well.1
All Replies
-
How about configuring VPN concentrator?1
-
Thank you Jasailafan.
I tore down and rebuilt with a concentrator based on the kb article you shared and have the same anomaly.
I am using same key, security, dh, etc on the tunnels and all sites have static IP.
More Detail:
HomeOffice 192.168.1.254
BranchA 10.0.0.1
BranchB 192.168.2.1 (unable to communicate in tunnels unless default policy set to allow)
Connectivity Check Greyed Out On HomeOffice VPN Monitor For BranchA but VPN works.
Connectivity Check On HomeOffice VPN Monitor To BranchB Fails.
BranchB was added to the network 6 months later.
I am at a loss and thinking I may have to call support0 -
Zyxel Tier1 support looked at the setup today and could not figure out why it was not working. They escalated the issue to US Support and said I would receive a call back. I have yet to receive a call but will post the results when I do.0
-
Update, when testing and try to ping a far end USG at 192.168.1.x the response comes back 34.31.X.X. Quite odd as we do not have 34.x.x.x anywhere in the system. Tier1 was lost as to why that was occurring.0
-
KCS1 said:Update, when testing and try to ping a far end USG at 192.168.1.x the response comes back 34.31.X.X. Quite odd as we do not have 34.x.x.x anywhere in the system. Tier1 was lost as to why that was occurring.
The source IP address of the reply packet will choice the WAN interface IP instead of the internal IP address(192.168.1.x).
Here a tricky work-around to solve the issue,
For example,
Ping from Brach A(10.0.0.1) to Home Office USG (192.168.1.x)
You need to add a static route on Home Office USG. Destination:10.0.0.1, Subnet mask: 255.255.255.255, Next-hop: lan1 interface
0 -
Thank you Zyman2008 although the static route unfortunately did not work either .0
-
Ended up being a corrupted default vpn security policy rule.
Deleted, recreated, and all is well.1
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 81 Nebula Status and Incidents
- 5.1K Security
- 91 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 919 WirelessLAN
- 35 WLAN Ideas
- 5.9K Consumer Product
- 210 Service & License
- 337 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2K FAQ
- 927 Nebula FAQ
- 422 Security FAQ
- 238 Switch FAQ
- 210 WirelessLAN FAQ
- 47 Consumer Product FAQ
- 139 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 62 Security Highlight