?
Solved

Return traffic not passing thru L2L VPN

Posted on 2009-04-29
35
Medium Priority
?
356 Views
Last Modified: 2012-05-06
Site-to-Site VPN is established betwee two following remote LANs.
Local LAN - 172.16.106.0/24                Remote LAN - 172.20.0.0/16

Problem : VPN tunnel is UP, but return traffic from remote LAN not reaching  local LAN.

There are two static routes for remote LAN  to reach the local LAN, on its upstream router. But after the primary route fails, the backup route for  VPN return traffic is not getting installed  in the router routing table.

Can some one help.

Thank you.
0
Comment
Question by:vbongarala
  • 19
  • 14
33 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 24281936



Did you setup your nat 0 rules to include these subnets?

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24282077

Yes, i did. As i ve written, the tunnel is UP but only the return traffic is not going via VPN gwy..s the primary static route is still sitting in the routing table, not letting the backup floating static route to get into the routing table.

route are

ip route 172.16.106.0 255.255.255.0 192.168.100.4

ip route 172.16.106.0 255.255.255.0 172.31.20.50  250

Thanks:)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24282512


NAT 0 is to tell teh devie not to NAT VPN traffic in this case, I need to see your config(s)

harbor235 ;}
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 

Author Comment

by:vbongarala
ID: 24282638
I thin a diagram would give you much clear picture:

Diagram
                                                                     remote LAN
                                 IPLC Link                              |                              ext
local LAN---RTRA-------------------RTRB------L3Device----------ASA---------
                      |                                                                    dmz                     |
                     ASA                                                                                          |
                       |----------------------INTERNET................................................. |

the routes tht i mentioned are sitting on the L3 device in the diagram. When IPLC, primary link is down between the two LANs.. backup static route on the L3 device should replace the primary static route in the L3 device routing table.

And this is not happening. I manuallu tried to remove the primary route and then verified the routing table and i could find the backup route sitting in the routing table and VPN working fine with traffic getting encrypted from both sides.

So, can you suggest how the 2ndary route be inserted into the routing table of L3 device, while i send you the oconfigs ?

Thanks:)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24282744


Are you saying that the VPN works otherwise? If you want it to failover you will need to track an interface with teh route, that way the failure will withdraw the route that goes down, you could also run a dynamic routing protocol over GRE as well.

p route 172.16.106.0 255.255.255.0 <IPLC-Link>

ip route 172.16.106.0 255.255.255.0 <internet-link>  250


harbor235 ;}

0
 

Author Comment

by:vbongarala
ID: 24282827
Yes, after bringing down the IPLC link, if i remove the primary route manually from L3 device that leaves the bakup route in the routing table, and so VPN is working then.
But
IF you see the diagram, if IPLC link goes dwn, then the interface on RTRB connecting to L3 device is still  UP and active. That means in essence from L3 device standpoint interface that is connectng it to the RTRB is not getting down, for it to remove the primary route and put the backup route.

In this case, which interface you suggest i track and how.

I'm afraid i cannot use dynamic routing lest it may call for lot many changes; plz suugest the steps if you think it is simple, otherwise, i would prefer to seek a solution of tracking the interface with static routes.

Thanks:)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24282844


ip route 172.16.106.0 255.255.255.0 Serial 0/1

ip route 172.16.106.0 255.255.255.0 g1/0  250


Use interface names not IP addresses, when you use interface names the route is withdrawn when there is a failure

harbopr235 ;}
0
 

Author Comment

by:vbongarala
ID: 24282919
I' want you to have second look at the diagram...plz

serial 0/1 interface of RTRB is not directly connected to L3 switch..instead fastethernet 0/0 of RTRB is directly connecting to L3 device. Still, if we give following route:

ip route 172.16.106.0 255.255.255.0 Serial 0/1

will it work ?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24282940


I was guessing on teh interfaces, plugin the appropriate ones

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24282945

If we give serial 0/0 instead of ip addr of the serial interface,will the route be withdrawn even still even if the fastethernet 0/0 of RTRB connecting to L3 device is stil UP and active.

THanks :)
0
 

Author Comment

by:vbongarala
ID: 24283002

Bringing dwn the IPLC would bring dwn the serial interface of RTRB, but not the gig port of L3 device on which fastethernet0/0 port of RTRB is connected.

In this.case. the route should refer to which interface.

Thnks:)
0
 

Author Comment

by:vbongarala
ID: 24283082

Besides, i noticed on the L3 device there is no serial interface option for the static route ..only giga port..as all ports on L3 device are gigabit ports.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24283384



Again, I have not seen your configs, I have no idean which interfaces to specify. My post was an example only.
Which ever interface is used to route tthe traffic outbound, use that interface.

I would do this during a maintenance window, however, if you add teh routes we talked about first, then afterwards withdraw teh old one you should be fine. Also, you can still add a higher cost to the least preferred path.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24284422


Diagram
                                                                               remote LAN
                                 IPLC Link                                          |                              ext
local LAN---RTRA-------------------RTRB-------------------------L3Device--------------------------ASA---------
                      |      s0                   s1       f0/0                     gig2/1         gig 3/1            dmz         |
                     ASA                                                                                                                         |
                       |----------------------INTERNET............................................................                     |          

on L3 device, the interface through which traffic is going outbound to remote local LAN over the primary route, is gig2/1.

in case IPLC link goes dwn, alternate interface is gig 3/1 as in diagram wher ASA is connected.

I tested the VPN for following both cases of ip routes, but return traffic was still goin to 1st path:

Case 1
ip route 172.16.106.0 255.255.255.0 Serial 0/1

ip route 172.16.106.0 255.255.255.0 g3/1  250

Case2

ip route 172.16.106.0 255.255.255.0 g 2/1

ip route 172.16.106.0 255.255.255.0 g 3/1  250

And configs are attached.
Thanks:)



local-LAN-config.txt
Remote-LAN-Config.txt
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24294719


Did you remove the old routes?  

So, on the L3 device, the primary path is out g2/1 which connects to RTRB, then this will work;

ip route 172.16.106.0 255.255.255.0 g 2/1
ip route 172.16.106.0 255.255.255.0 g 3/1  250

Traffic will failover when g2/1 fails, your old routes must be removed, there can be no other routes for
172.16.106.0/24

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24295257
I have tested this:
When i bring down S1 on RTRB, f0/0 is still remaining UP and active and therefore also the g2/1. Which means, g2/1 is not failing at all, even though i fail the IPLC link. In this case, do you think he below route:

ip route 172.16.106.0 255.255.255.0 g 2/1

will disappear and take the backup route ? I'm little confused here as to how you say primary route will no longer be there, when g2/1 is not failing at all.

Thanks:)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24295911


Well, you must have something between RTRB and L3device, what does the layer3 device connect to?

G2/1 is not connected directly to RTRB, it must be attached to a switch and/or a transport device.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24296144
RTRB is attached direcly to L3 device switch port. There is no device between these devices.

Thanks:)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24296191


How does a fastethernet port connect to a GigE port? Is there a media converter?

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24296352

GigE port is 10/100/1000 compatible.. and hence i think it is supporting connection from fastethernet. Bcoz it is working perfectly.

Thanks:)
0
 

Author Comment

by:vbongarala
ID: 24297201

Do you think, this can be made to work ?

Thanks:)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24297338

You state that you fail s0/1, we are not tracking s0/1 we are tracking g2/1, what happens ahead of us has no consequence. You must use SAA probes or something to test network connectivity further upstream to failover that link, i mised the part stating how you tested failover.

the route is bound to g2/1, g2/1 has to go down for it to failover or use SAA probes.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24297480

I ve never heard of SAA probes. What are they ? Can they be used in this particular scenario ? Besides, will it help to failover for sure ?

If SAA probes is the solution, now that you know the connectivity and how failover is being tested, Plz suggest where and how to configure the probes.

THanks:)
0
 
LVL 32

Expert Comment

by:harbor235
ID: 24297684


Hmm, ok, SAA probes will work but may be complicated. However, if you were using dynamic routing and the link fails this will fail the traffic over with less complexity. Didn't we have a dunamic routing discussion before?

If S0/1 fails then dynamic routing will withdraw all routes learned via that device where the other end of S1 is the nexthop. Your other secondary route will become primary.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24297825

Both on RTRB and L3 device, we are using static routing. Can v use dynamic routing for this single remote network ? Is this possible w/o disturbing the exisiting other static routes on the L3 device ?

THanks:)
0
 

Author Comment

by:vbongarala
ID: 24306083

Hi harbor,

I was hoping that you will to my last post. I 'm willing to consider to increase  points, hence would want you to reply your post.

Thanks:)

0
 
LVL 32

Expert Comment

by:harbor235
ID: 24306845


Yes you can and yes it is possible, but remember a static route will have precedence over dynamically learned routes, so static will override the dynamic routes.

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24306886

That means, it implies we completely do away with static routing and use only dynamic routing on L3 device..right ?
If we do this, it will disturb all our failover configurations on the L3 device, which is our core switch.

Plz advise how to get over this dead end ?

Thanks:)
0
 

Author Comment

by:vbongarala
ID: 24306951

How about SAA probes, which you said will work ?

Thanks:)
0
 

Author Comment

by:vbongarala
ID: 24307169

As i'm not familiar with SAA configuration, and you are,  i would wantk your assitance in trying this configuration. Can you just put together a sample configuration steps for SAA conffiguration ?

IF i'm correctwe need to configure SAA probes on L3 device... right... with target router as RTRB ?

To understand the complexity, could yuo care to tell what part of SAA is complicated ?

Thanks:)
0
 
LVL 32

Accepted Solution

by:
harbor235 earned 500 total points
ID: 24307257


It's requires more configuration than dynamic routing because responder and sender must be configured as well as thresholds and failover parameters. Dynamic routing is simple, turn it on and it will do what you ask. I have provided many answers to your multiple questions on multiple posts, I would need to do some additional research and testing to ensure it works properly. At this point I have given you all I can for this question, I beleive I have provided you with several possible solutions.

Good luck to you,

harbor235 ;}
0
 

Author Comment

by:vbongarala
ID: 24307388

Yes, indeed you have given all you could for the question. Infact, i would say more than that. And i 'm greatfull to you for that and for answering patiently to all my questions.

I will check if i can go for dynamic routing and test, if i can pull through my management. I will keep you posted.

I have awarded more points for your effort. Thanks again:)
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering cloud tradeoffs and determining the right mix for your organization.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question