Cannot connect to iSeries through vpn

ColeTechGroup
ColeTechGroup used Ask the Experts™
on
I currently have a vpn setup between a main office and branch location using watchguard devices.  The main office ip settings are 192.168.0.X while the branches settings are 192.168.2.X.

From the branch, I am able to ping every computer and printer except for the iSeries.  I do have a sonicwall application in place at the main office and when I connect using the sonicwall I am able to ping and access the iSeries.  The sonicwall issues an address of 192.168.0.x.

The iSeries does have a TCP/IP route as follows:

Destination                                Subnet                        Next Hop                    Preferred Interface
*DFTROUTE                             *None                           192.168.0.1                192.168.0.150
192.168.2.0                             255.255.255.0              192.168.0.1                192.168.0.150

The gateway should be 192.168.0.1 and the address of the iSeries is 192.168.0.150 with subnet of 255.255.0.0

Any help would be greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Hello, ColeTechGroup

Since you can reach all hosts on the same subnet as iSeries from the watchguard, it is not a routing issue. Have you run a packet trace from the watchguard to the iSeries box to see what is happening to the packets? You can use wireshark also to see why packets don't reach iSeries





Gary PattersonVP Technology / Senior Consultant

Commented:
Check iSeries Packet filtering - perhaps someone set up filtering to block traffic that didn't originate on the local subnet:

http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzaj4/rzaj4rzaj45hpacketsecurity.htm

Can you ping from the AS/400 to the 192.168.2.x subnet?

- Gary Patterson

Author

Commented:
Gary_The_IT_Pro,

I am unable to ping from the AS/400 to the 192.168.2.x subnet.  I am able to ping from the AS/400 to the 192.168.0.x subnet.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Gary PattersonVP Technology / Senior Consultant

Commented:
Check packet filtering rules on the AS/400.

- Gary Patterson

Author

Commented:
Gary,

There are no current policies in place for the packet filtering an the AS/400
Gary PattersonVP Technology / Senior Consultant

Commented:
OK, let me see if I have this straight:

  • You have two different firewalls in place at the main office: a Sonicwall and a Watchguard.
  • When you connect via VPN (remote access VPN, I guess?) to the Sonicwall, it gives you a 192.168.0.x subnet address, and you can ping the AS/400 over the VPN.
  • When you connected from the branch office (192.168.2.x subnet) via the Watchguard firewall, you can ping any OTHER address on 192.168.0.x subnet, but not the AS/400.
  • Any system (other than the AS/400 @ .150) on 192.168.0.x can ping any system on 192.168.2.x.
  • AS/400 (192.168.0.150) can ping local subnet hosts, but not 192.168.2.x subnet.
  • AS/400 does not have packet filtering configured.
First a disclaimer: I'm a Cisco tech: I've never worked with Watchguard.

Well, from the above, the Watchguard configuration seems a likely place to look.  Any filtering going on there?  Maybe something specific to 192.168.0.150?  Post an edited version (strip outside addresses and any user ids or passwords, in particular) of the Watchguard config here.

Try running a traceroute from the branch office to a main office device that is responding, and then one to the AS/400.  Do the same from a main office device to the branch office device and the AS/400 to a branch office device.  Post all four traceroute results here.

Also check the Watchguard logs to see if the incoming or outgoing ICMP packets are getting filtered.

What devices (routers, switches, firewalls, etc) are between the Watchguard inside interface and th AS/400 NIC?

If this was a Cisco device, I would just have the filewall log ICMP packets, and see what ws happening there.  Perhaps the Watchguard appliance has similar capabilities.

Is there a firewall (or other network device) in front of the AS/400 that may be filtering traffic that is not from the local subnet?

- Gary Patterson




Commented:
Have u tried subnet 255.255.255.0 considering 192.168.0 is a class C ip address.
Gary PattersonVP Technology / Senior Consultant

Commented:
AntonInf is right - I never even noticed that you have the AS/400's subnet mask listed as 255.255.0.0.  That isn't right.  Is that just a typo, or is that the way it is actually configured?

- Gary Patterson
We went back, cleared all of the Destinations and entered them again, and it worked.
Gary PattersonVP Technology / Senior Consultant

Commented:
Great.  Glad you got it working.  I guess your routing table was corrupt.

- Gary Patterson

Commented:
Thats great congratualtions.. It must be a big load of your mind and more relaxing..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial