P4Colin  Freshman Member

When going back into the VPN setting again for further troubleshooting, I saw the options for Active Protocol and Encapsulation completely missing from the Phase 2 settings. I believe this may have occurred from attempting to add a second set of subnets in the Policy here: The router started locking up to the point where…

THIS IS THE FIX! We did have this limited to just to two /24 subnets for each site. We did not need to recreate the VPN in this instance, we just updated the Phase 2 policies to the 0.0.0.0/0 subnets and now I am able to communicate from the router over the tunnel to the server. This is a bit confusing compared to the…

Updated VTI to provided (our office 200H to 172.16.0.1/30 and client site 200 to 172.16.0.2/30). Verified I can ping from from computer to server and vice versa again after the VPN reconnected. Traffic from the router still does not traverse the VPN:

Correct. Client side LAN is 10.10.1.1/24, with a DNS server at 10.10.1.10/24. Remote side LAN is 192.168.2.1/24. I have a computer at 192.168.2.33 which can ping to the server at 10.10.1.10 (and the server can ping the computer).

Correct, but for this new testing scenario that we setup the 200 (non H) is using 10.20.30.1/30 so it is in the same subnet as the 10.20.30.2/30 that the 200H is. Just want to reiterate again that we are not having issues with traffic initiated from the computers traversing the VPN, only traffic initiated from the router.

Apologize for the confusion, we setup a new test from scratch to ensure there was not any misconfigurations with the existing equipment. Here is this screenshot from the new Flex 200H we have setup in our office for testing where we are experiencing the same issues:

Disregard the prior comments on models, in this round of testing we are connecting a test unit in our office (200H) to the customer's site (200).

Remote site (router we setup in our office for testing) LAN - 192.168.2.0/24, VTI IP - 10.20.30.2/30

I completely recreated this using a 200H in our office, and cannot get any traffic from the 200H to a Flex 200 router. Note the traffic from computers behind the routers traverses the VPN without issue, the issue only lies with traffic sourced **FROM the router. Setup below: Remote site LAN - 192.168.2.0/24, VTI IP -…

As stated, does not matter what I set the interface to, the pings do not succeed: DNS is set to the router for this interface: Resolving against the router (in this case 192.168.15.1) does not succeed as the router does not seem to be able to send any traffic over the VTI.

Yes we had dns server set to the router. Any nslookups to the domain name just time out. Pinging from the 100H’s Network Tool page does not get through to the server. Computers are able to ping to server by IP so the tunnel is working appropriately for clients.

@Zyxel_Melen Correction to this - we want to set the DNS server on the client side to the 100H. The 100H has a Domain Zone Forwarder, so it should be able to send only needed DNS queries for this domain over the tunnel to the DNS server. Computers behind the 100H can communicate with the server, communication from the 100H…

Unfortunately we were never able to find a solution here, even in an active/active state on the trunk like you are stating. I wish I had a better answer.

Just upgraded to 4.73(AAAA.2) and rebooted, same thing persists. VLAN 1001 is tagged on the port going into WAN2. It all comes to the policy route with SNAT for using an alternate IP, and I am not able to find a way to bypass this route if traffic came in the LTE connection.

We are using a user configured trunk, which we have setup with both members being active or VLAN1001 being passive without change in behavior. VLAN1001 is setup as an external interface with WAN2 being the base port (only setup this way to go through a switch then connect back to the router).