Site2Site VPN Routing not working (USG60 to USG60)

Zyxel_Jeff said:

Hi @stephan

The reason why the branch site can’t ping to HQ site is the packet be dropped by branch site's default rule, you can check those logs message as below:

Monitor > Log  >View Log

You can set a security policy on the branch site, from LAN1 to any as below:

Then you can ping successfully from LAN1 IP(192.168.178.100) of branch site to LAN1 IP(10.0.0.2) of HQ . 

Hi Jeff. Sorry for the exceptionally late reply.
Unfortunately, our business needed my elsewhere for a while.

I did spot the access blocked triggered by the default rule in the logs.
I did create a policy LAN1 to any, but pings are still not going through. But they are also not showing up as blocked anymore.

Here is what I did/found

Created the policy like this on the branch USG60:

Made sure the VPN shows as connected on both USG60s
I tried pinging both USG60s from both networks.

• Machine in HQ pinging HQ USG60
• Machine in HQ pinging branch USG60
  
• Machine in branch pinging branch USG60
• Machine in branch pinging HQ USG60

All of these pings did return normally and return the pings.

I tried pinging devices within the networks and this doesn't work though.

• Machine in HQ pinging network printer in branch
• Machine in branch pinging network printer in HQ

Both should return pings.
So I guess, there is still a routing issue?
I did try a tracert from branch to a device within HQ network and it did seem to bounce around aimlessly as it did show timeouts after the branch USG60 and terminated after 30 hops.

If I try to tracert the HQ USG60 from a branch device, it correctly shows 3 hops and a termination at the HQ USG60.


Any ideas still?

valerio_vanni said:

If you ping printers but not PCs, it seems that PCs choose not to respond.

I would look at system operating firewall: Windows firewall? Third party firewall?

Try to disable it, just to diagnose.

valerio_vanni said:

stephan said:

The devices do respond to ping from the same net.

So the issue is not on the device.

Sorry if I was not clear enough on that. I will edit my post to reflect that.

It was clear, but that behavior cannot exclude local firewall as cause.

A local firewall can define a subset of addresses in its rules. For example, Windows Firewall by default has some rules that have as scope "local subnet".

So it would be regular to find that PC accept connection from their subnet and not from another.

I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.

You said that printers did respond. Do they have the same gateway like PCs?

I already posted a comprehensive explaination here: https://community.zyxel.com/en/discussion/comment/37240/#Comment_37240
tl;dr: It was a FW routing issue.

You said that printers did respond. Do they have the same gateway like PCs?

Yes. Their gateway is are their respective USG60s.

I cannot tell if it's your case, but the test of disabling local firewall it's worthy. Quick and simple.

As outlined in the other post, the machines (printers and a Linux server) did return pings from our L2TP VPN to requests from outside their net. It was not a local firewall or internal routing issue with the machines.