Site2Site VPN Routing not working (USG60 to USG60)
All Replies
-
Zyxel_Jeff said:
Hi @stephan
The reason why the branch site can’t ping to HQ site is the packet be dropped by branch site's default rule, you can check those logs message as below:
Monitor > Log >View Log
You can set a security policy on the branch site, from LAN1 to any as below:
Then you can ping successfully from LAN1 IP(192.168.178.100) of branch site to LAN1 IP(10.0.0.2) of HQ.
Unfortunately, our business needed my elsewhere for a while.
I did spot the access blocked triggered by the default rule in the logs.
I did create a policy LAN1 to any, but pings are still not going through. But they are also not showing up as blocked anymore.
Here is what I did/found
Created the policy like this on the branch USG60:
Made sure the VPN shows as connected on both USG60s
I tried pinging both USG60s from both networks.- Machine in HQ pinging HQ USG60
- Machine in HQ pinging branch USG60
- Machine in branch pinging branch USG60
- Machine in branch pinging HQ USG60
I tried pinging devices within the networks and this doesn't work though.- Machine in HQ pinging network printer in branch
- Machine in branch pinging network printer in HQ
So I guess, there is still a routing issue?
I did try a tracert from branch to a device within HQ network and it did seem to bounce around aimlessly as it did show timeouts after the branch USG60 and terminated after 30 hops.
If I try to tracert the HQ USG60 from a branch device, it correctly shows 3 hops and a termination at the HQ USG60.
Any ideas still?0 -
If you ping printers but not PCs, it seems that PCs choose not to respond.I would look at system operating firewall: Windows firewall? Third party firewall?Try to disable it, just to diagnose.0
-
valerio_vanni said:If you ping printers but not PCs, it seems that PCs choose not to respond.I would look at system operating firewall: Windows firewall? Third party firewall?Try to disable it, just to diagnose.The devices do respond to ping from the same net.So the issue is not on the device.Sorry if I was not clear enough on that. I will edit my post to reflect that.Edited the post to be more clear that pings within networks to target machines work. But through VPN they don't. I can only ping the edges of the net (the 2 USG60s respectively).0
-
stephan said:The devices do respond to ping from the same net.So the issue is not on the device.Sorry if I was not clear enough on that. I will edit my post to reflect that.It was clear, but that behavior cannot exclude local firewall as cause.A local firewall can define a subset of addresses in its rules. For example, Windows Firewall by default has some rules that have as scope "local subnet".So it would be regular to find that PC accept connection from their subnet and not from another.I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.You said that printers did respond. Do they have the same gateway like PCs?0
-
valerio_vanni said:stephan said:The devices do respond to ping from the same net.So the issue is not on the device.Sorry if I was not clear enough on that. I will edit my post to reflect that.It was clear, but that behavior cannot exclude local firewall as cause.A local firewall can define a subset of addresses in its rules. For example, Windows Firewall by default has some rules that have as scope "local subnet".So it would be regular to find that PC accept connection from their subnet and not from another.I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.You said that printers did respond. Do they have the same gateway like PCs?
tl;dr: It was a FW routing issue.
You said that printers did respond. Do they have the same gateway like PCs?
Yes. Their gateway is are their respective USG60s.
I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.
As outlined in the other post, the machines (printers and a Linux server) did return pings from our L2TP VPN to requests from outside their net. It was not a local firewall or internal routing issue with the machines.0
Categories
- All Categories
- 199 Beta Program
- 1.8K Nebula
- 94 Nebula Ideas
- 63 Nebula Status and Incidents
- 4.7K Security
- 236 Security Ideas
- 1.1K Switch
- 52 Switch Ideas
- 919 WirelessLAN
- 28 WLAN Ideas
- 5.4K Consumer Product
- 173 Service & License
- 296 News and Release
- 65 Security Advisories
- 14 Education Center
- 1K FAQ
- 454 Nebula FAQ
- 258 Security FAQ
- 100 Switch FAQ
- 115 WirelessLAN FAQ
- 22 Consumer Product FAQ
- 70 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 69 About Community
- 52 Security Highlight