FLEX700H Ignoring Routing Rule

nickpatchett
nickpatchett Posts: 7 image  Freshman Member
First Comment Friend Collector
in USG FLEX H Series

I have a static route set to push traffic to a specific IP address down an IPSEC VPN connection but the firewall seems to be ignoring it entirely. If I do a traceroute to the destination using the network tool diagnostic I just get 30 lots of ***. Other static routes using this VPN are working. Anyone have any ideas?

All Replies

  • PeterUK
    PeterUK Posts: 4,093 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited October 6

    Is this a site to site or VTI?

    If site to site the FLEX H lacks routing down a tunnel VTI has more control

  • nickpatchett
    nickpatchett Posts: 7 image  Freshman Member
    First Comment Friend Collector

    It's a VTI. It's baffling me as other static routes are configured in the same way and work perfectly.

    Is there a log on the router to show what it is doing with the packets?

  • PeterUK
    PeterUK Posts: 4,093 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Not sure what your setup is or trying to forward

    I suggest a routing rule not static route with the following:
    incoming LAN
    destination IP
    nexthop Interface VTI
    SNAT none or outgoing interface depending on the route back ideally none.

    It might be the case that packets are getting to there destination but the route back needs doing.

    You can packet capture both ends to see what going on

  • nickpatchett
    nickpatchett Posts: 7 image  Freshman Member
    First Comment Friend Collector

    Morning Peter,

    We are a healthcare organisation and the IPSEC VPN is for our HSCN connectivity (secure NHS network). It's a simple configuration that everything I send down the VPN link is received by the router at the datacentre and then routed into HSCN.

    I have changed from a static route to a policy route as you suggested and I can see the number of Hits increasing against the rule but the traffic still isn't routing.

    The network at the far end that I am trying to get to is 10.151.128.0/22

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,904 image  Guru Member
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @nickpatchett

    Could you enable Zyxel support access and share the traffic flow for us to check?

    https://community.zyxel.com/en/discussion/14234/nebula-how-to-turn-on-zyxel-support-access
    Zyxel Melen


  • nickpatchett
    nickpatchett Posts: 7 image  Freshman Member
    First Comment Friend Collector
    https://community.zyxel.com/en/discussion/comment/80674#Comment_80674

    I have now enabled access via Nebula for support and opened a Request #531871

  • PeterUK
    PeterUK Posts: 4,093 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited October 7

    So likely it is getting to 10.151.128.0/22 but if devices at the other end have a gateway the router might be going out the WAN of the source IP its replying too so you might need a routing rule that end to route traffic down the VTI of the destination back to you.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)