Solved

VPN gives two different types of IPs

Posted on 2012-03-16
5
534 Views
Last Modified: 2012-04-08
I have two sites PDX and AST connected by a S2S VPN, Juniper at PDX and NetGear at AST. Both sites says the VPN connecttion is active. When I log into a PC on the AST network and ping a PC on the PDX LAN i get a response. When I do a tracert from the same two machines, I get  two hops: 192.168.3.1 (AST gateway) and 192.168.4.1 (PDX Gateway).
When I ping from a PC on PDX LAN to a PC on the AST LAN, I get
reply from 76.139.77.52 (fictitious)  destination host unreachable. When I do a tracert fom the same PDX LAN PC to the same AST LAN PC it GOES TO THE INTERNET (public IP addresses) at stops at 76.139.77.52.
Three questions (in order of importance)
What is the likely cause of this?
Why do I get Private IP addresses when I tracert from AST to PDX?
Why would the VPN say it is up at both ends and yet I am not able to  ping internally from PDX to AST?
0
Comment
Question by:evault
  • 3
5 Comments
 
LVL 1

Author Comment

by:evault
ID: 37731720
By the way, there are three telcos involved in this, Vendor1 which provides service at PDX, Vendor2 which provides service at AST and Vendor3 which provides connectivity between the two other vendors. Vendors 1 & 2 both claim their network are delivering the packets sucessfully as far as their borders.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 250 total points
ID: 37732719
This definitely sunds like a missing route statement is the cause of the issue. In the juniper do you have a route defined that implicitly says traffic for ip 192.168.3.0/24 should go out through VPN tunnel?
0
 
LVL 69

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
ID: 37733580
The difference for whether you initiate traffic from AST -> PDX or PDX -> AST is that in the first case the session object already exists for the ICMP reply in the first case.
That is:
* traffic originates from AST,
* passes the VPN tunnel,
* arrives at the Juniper (and a corresponding session object is created).
When the reply from PDX is sent, the session object is used as a shortcut - no routes or policies to check. So it will pass.

The other way the session object does not yet exist, so routes and policies need to be checked. And obviously there is a route or policy taking precedence, forwarding the packet to public interface instead of passing it thru a tunnel.

Without seeing the config (or the relevant part of it, at least), that is all we can guess about.
A simple test is if you allow traffic logging for the VPN policy PDX -> AST. If you see traffic, the policy is hit, and can be excempt from being the culprit.
0
 
LVL 1

Author Comment

by:evault
ID: 37740624
Thank you both. Each of you have some merit to your suggestions. I will check both and get back to you.
0
 
LVL 1

Author Closing Comment

by:evault
ID: 37822435
Replaced the Juniper/NetGear firewalls with two SonicWALL units and everything is working just fine.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Android VPN into Server 2012 R2 Essentials (SSTP VPN) 4 185
Office 365 vs. In-House 4 96
Random Terminal Server disconnections. 2 167
How to set DHCPv6 options on a Sonicwall? 13 140
Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question