Solved

VPN gives two different types of IPs

Posted on 2012-03-16
5
530 Views
Last Modified: 2012-04-08
I have two sites PDX and AST connected by a S2S VPN, Juniper at PDX and NetGear at AST. Both sites says the VPN connecttion is active. When I log into a PC on the AST network and ping a PC on the PDX LAN i get a response. When I do a tracert from the same two machines, I get  two hops: 192.168.3.1 (AST gateway) and 192.168.4.1 (PDX Gateway).
When I ping from a PC on PDX LAN to a PC on the AST LAN, I get
reply from 76.139.77.52 (fictitious)  destination host unreachable. When I do a tracert fom the same PDX LAN PC to the same AST LAN PC it GOES TO THE INTERNET (public IP addresses) at stops at 76.139.77.52.
Three questions (in order of importance)
What is the likely cause of this?
Why do I get Private IP addresses when I tracert from AST to PDX?
Why would the VPN say it is up at both ends and yet I am not able to  ping internally from PDX to AST?
0
Comment
Question by:evault
  • 3
5 Comments
 
LVL 1

Author Comment

by:evault
ID: 37731720
By the way, there are three telcos involved in this, Vendor1 which provides service at PDX, Vendor2 which provides service at AST and Vendor3 which provides connectivity between the two other vendors. Vendors 1 & 2 both claim their network are delivering the packets sucessfully as far as their borders.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 250 total points
ID: 37732719
This definitely sunds like a missing route statement is the cause of the issue. In the juniper do you have a route defined that implicitly says traffic for ip 192.168.3.0/24 should go out through VPN tunnel?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 37733580
The difference for whether you initiate traffic from AST -> PDX or PDX -> AST is that in the first case the session object already exists for the ICMP reply in the first case.
That is:
* traffic originates from AST,
* passes the VPN tunnel,
* arrives at the Juniper (and a corresponding session object is created).
When the reply from PDX is sent, the session object is used as a shortcut - no routes or policies to check. So it will pass.

The other way the session object does not yet exist, so routes and policies need to be checked. And obviously there is a route or policy taking precedence, forwarding the packet to public interface instead of passing it thru a tunnel.

Without seeing the config (or the relevant part of it, at least), that is all we can guess about.
A simple test is if you allow traffic logging for the VPN policy PDX -> AST. If you see traffic, the policy is hit, and can be excempt from being the culprit.
0
 
LVL 1

Author Comment

by:evault
ID: 37740624
Thank you both. Each of you have some merit to your suggestions. I will check both and get back to you.
0
 
LVL 1

Author Closing Comment

by:evault
ID: 37822435
Replaced the Juniper/NetGear firewalls with two SonicWALL units and everything is working just fine.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now