Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

juniper ssg20 vpn

Posted on 2009-12-25
6
Medium Priority
?
873 Views
Last Modified: 2012-08-13
We're having trouble setting up a site to site vpn between 2 juniper ssg20.

The details are:
HQ Site: 50.0.0.0 subnet
using juniper ssg20
Interface is 50.0.0.1
Problem: Clients (50.0.0.x) can NOT ping clients in 50.0.1.x

Remote site: 50.0.1.0 subnet
also using juniper ssg20
Interface is 50.0.1.1
Clients (50.0.1.x) can actually ping computers in HQ site.

We couldnt figure out what is going on since the remote clients can ping hq hosts but not the other way around.

Thank You

0
Comment
Question by:SW111
  • 3
  • 3
6 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26122740
It sounds like the routing and tunnel are ok. Are there any firewall rules that may explain it?
0
 

Author Comment

by:SW111
ID: 26122787
I'm not too sure. we didnt explicitly set a rule to prevent it. SHould we have explicitly set a rule to allow it?
If so, how and where (which juniper: hq or remote)?
0
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26122815
I don't know the Juniper configs specifically. Is there a way to turn on firewall logging so you can see what is being allowed or dropped by which rules to isolate what is happening to the pings?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:SW111
ID: 26122818
Well yes. There are a whole lot of logging info on the system. Only I dont see (dont understand?) which one is an error. It doesnt say error explicitly... Is there something I should keep an eye on, in particular?
0
 
LVL 21

Accepted Solution

by:
Rick_O_Shay earned 2000 total points
ID: 26122826
I was thinking along the lines that in the log event there would be at least the source and destination address and the protocol and whether it was dropped or not. If you see something like the ping being dropped by rule number 10 or whatever then you could expand or change it or add a rule ahead of it to allow for the site to site that you have configured.
Maybe try a quick test with the firewall off just to see if that is the right direction?
0
 

Author Closing Comment

by:SW111
ID: 31669935
Ah, turns out that the routing needed to be fixed.

Our setup is a bit different to that from the manual so there was some inconsistencies in the routing. A bit strange because the vpn tunnel is showing up. It was the routing after the tunnel that was problematic.

The soluion was to create a route from untrust-vr to trust-vr zone.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this article I will be showing you how to subnet the easiest way possible for IPv4 (Internet Protocol version 4). This article does not cover IPv6. Keep in mind that subnetting requires lots of practice and time.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question