Solved

VPN gives two different types of IPs

Posted on 2012-03-16
5
540 Views
Last Modified: 2012-04-08
I have two sites PDX and AST connected by a S2S VPN, Juniper at PDX and NetGear at AST. Both sites says the VPN connecttion is active. When I log into a PC on the AST network and ping a PC on the PDX LAN i get a response. When I do a tracert from the same two machines, I get  two hops: 192.168.3.1 (AST gateway) and 192.168.4.1 (PDX Gateway).
When I ping from a PC on PDX LAN to a PC on the AST LAN, I get
reply from 76.139.77.52 (fictitious)  destination host unreachable. When I do a tracert fom the same PDX LAN PC to the same AST LAN PC it GOES TO THE INTERNET (public IP addresses) at stops at 76.139.77.52.
Three questions (in order of importance)
What is the likely cause of this?
Why do I get Private IP addresses when I tracert from AST to PDX?
Why would the VPN say it is up at both ends and yet I am not able to  ping internally from PDX to AST?
0
Comment
Question by:evault
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 1

Author Comment

by:evault
ID: 37731720
By the way, there are three telcos involved in this, Vendor1 which provides service at PDX, Vendor2 which provides service at AST and Vendor3 which provides connectivity between the two other vendors. Vendors 1 & 2 both claim their network are delivering the packets sucessfully as far as their borders.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 250 total points
ID: 37732719
This definitely sunds like a missing route statement is the cause of the issue. In the juniper do you have a route defined that implicitly says traffic for ip 192.168.3.0/24 should go out through VPN tunnel?
0
 
LVL 70

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 37733580
The difference for whether you initiate traffic from AST -> PDX or PDX -> AST is that in the first case the session object already exists for the ICMP reply in the first case.
That is:
* traffic originates from AST,
* passes the VPN tunnel,
* arrives at the Juniper (and a corresponding session object is created).
When the reply from PDX is sent, the session object is used as a shortcut - no routes or policies to check. So it will pass.

The other way the session object does not yet exist, so routes and policies need to be checked. And obviously there is a route or policy taking precedence, forwarding the packet to public interface instead of passing it thru a tunnel.

Without seeing the config (or the relevant part of it, at least), that is all we can guess about.
A simple test is if you allow traffic logging for the VPN policy PDX -> AST. If you see traffic, the policy is hit, and can be excempt from being the culprit.
0
 
LVL 1

Author Comment

by:evault
ID: 37740624
Thank you both. Each of you have some merit to your suggestions. I will check both and get back to you.
0
 
LVL 1

Author Closing Comment

by:evault
ID: 37822435
Replaced the Juniper/NetGear firewalls with two SonicWALL units and everything is working just fine.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question