Site2Site VPN Routing not working (USG60 to USG60)

2»

All Replies

  • stephan
    stephan Posts: 31
    First Comment Friend Collector Fifth Anniversary
     Freshman Member

    Hi @stephan

    The reason why the branch site can’t ping to HQ site is the packet be dropped by branch site's default rule, you can check those logs message as below:

    Monitor > Log  >View Log



    You can set a security policy on the branch site, from LAN1 to any as below:



    Then you can ping successfully from LAN1 IP(192.168.178.100) of branch site to LAN1 IP(10.0.0.2) of HQ :)



    Hi Jeff. Sorry for the exceptionally late reply.
    Unfortunately, our business needed my elsewhere for a while.

    I did spot the access blocked triggered by the default rule in the logs.
    I did create a policy LAN1 to any, but pings are still not going through. But they are also not showing up as blocked anymore.

    Here is what I did/found

    Created the policy like this on the branch USG60:

    Made sure the VPN shows as connected on both USG60s
    I tried pinging both USG60s from both networks.
    • Machine in HQ pinging HQ USG60
    • Machine in HQ pinging branch USG60
    • Machine in branch pinging branch USG60
    • Machine in branch pinging HQ USG60
    All of these pings did return normally and return the pings.

    I tried pinging devices within the networks and this doesn't work though.
    • Machine in HQ pinging network printer in branch
    • Machine in branch pinging network printer in HQ
    Both should return pings.
    So I guess, there is still a routing issue?
    I did try a tracert from branch to a device within HQ network and it did seem to bounce around aimlessly as it did show timeouts after the branch USG60 and terminated after 30 hops.

    If I try to tracert the HQ USG60 from a branch device, it correctly shows 3 hops and a termination at the HQ USG60.


    Any ideas still?
  • valerio_vanni
    valerio_vanni Posts: 64
    First Comment First Answer Friend Collector First Anniversary
     Ally Member
    If you ping printers but not PCs, it seems that PCs choose not to respond.

    I would look at system operating firewall: Windows firewall? Third party firewall?
    Try to disable it, just to diagnose.

  • stephan
    stephan Posts: 31
    First Comment Friend Collector Fifth Anniversary
     Freshman Member
    edited January 2022
    If you ping printers but not PCs, it seems that PCs choose not to respond.

    I would look at system operating firewall: Windows firewall? Third party firewall?
    Try to disable it, just to diagnose.

    The devices do respond to ping from the same net.
    So the issue is not on the device.
    Sorry if I was not clear enough on that. I will edit my post to reflect that.



    Edited the post to be more clear that pings within networks to target machines work. But through VPN they don't. I can only ping the edges of the net (the 2 USG60s respectively).
  • valerio_vanni
    valerio_vanni Posts: 64
    First Comment First Answer Friend Collector First Anniversary
     Ally Member
    stephan said:

    The devices do respond to ping from the same net.
    So the issue is not on the device.
    Sorry if I was not clear enough on that. I will edit my post to reflect that.

    It was clear, but that behavior cannot exclude local firewall as cause.

    A local firewall can define a subset of addresses in its rules. For example, Windows Firewall by default has some rules that have as scope "local subnet".
    So it would be regular to find that PC accept connection from their subnet and not from another.

    I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.

    You said that printers did respond. Do they have the same gateway like PCs?

  • stephan
    stephan Posts: 31
    First Comment Friend Collector Fifth Anniversary
     Freshman Member
    stephan said:

    The devices do respond to ping from the same net.
    So the issue is not on the device.
    Sorry if I was not clear enough on that. I will edit my post to reflect that.

    It was clear, but that behavior cannot exclude local firewall as cause.

    A local firewall can define a subset of addresses in its rules. For example, Windows Firewall by default has some rules that have as scope "local subnet".
    So it would be regular to find that PC accept connection from their subnet and not from another.

    I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.

    You said that printers did respond. Do they have the same gateway like PCs?

    I already posted a comprehensive explaination here: https://community.zyxel.com/en/discussion/comment/37240/#Comment_37240
    tl;dr: It was a FW routing issue.

    You said that printers did respond. Do they have the same gateway like PCs?

    Yes. Their gateway is are their respective USG60s.

    I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.

    As outlined in the other post, the machines (printers and a Linux server) did return pings from our L2TP VPN to requests from outside their net. It was not a local firewall or internal routing issue with the machines.

Security Highlight