Solved: L2L tunnel issue

mrSS · ‎08-06-2007

hello...

I created a L2L tunnel b/w a VPN 3005 to Juniper NetScreen ...the tunnel is up but we both are unable to ping the allowed ip...another thing, i only see rx traffic from him but no tx traffic from me...suspecting keep alives...

this is the second tunnel i built on this VPN 3005 box, this first has no issues with what i am experiencing now...

can any assist on this issue....thanks in advance

Jon Marshall · ‎08-06-2007

Hi

Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.

With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.

HTH

Jon

View solution in original post

srue · ‎08-06-2007

could this be an internal routing issue on your side? It sounds like traffic from your side isn't even making it across the tunnel, while his is.. right?

Clear the tunnel, and try to initiate from your side to see if traffic you originate can bring it up.

mrSS · ‎08-06-2007

im not sure what may be blocking it...i attached a drawing of the l2l tunnel design...the tunnel is supposed to allow the 172 network to reach 192 network....i do have a PIX attached to the same network as the 192, could that be blocking traffic?...i check for documentation but couldnt find any...

thanks in advance

mrSS · ‎08-06-2007

sorry, here is the attachment..

Jon Marshall · ‎08-06-2007

Hi

What is the default gateway of the PC 192.168.10.10.

Also what version of software are you running on the pix.

Jon

mrSS · ‎08-06-2007

the dg is .20....the version of the pix is 6.3...

Jon Marshall · ‎08-06-2007

Hi

Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.

With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.

HTH

Jon

mrSS · ‎08-06-2007

ok, that make sense...can i just add a static route to the pix stating: route 172.16.10.10 255.255.255.255 192.168.10.15 ?

thanks

Jon Marshall · ‎08-06-2007

Hi

No you can't because your pix will not route the traffic back out of the same interface it was received on unless your pix is running version 7.x code.

You need to add the static route to the client PC.

Jon

mrSS · ‎08-06-2007

ill give this a try and update with results...

again, thanks for your assistance...

srue · ‎08-06-2007

there is one more option if you're feeling adventurous...enable rip on the inside interface of the concentrator - rip v1 - and RRI. then enable the rip listener on xp.

Jon Marshall · ‎08-06-2007

"if you're feeling adventurous..enable rip "

Now that would be adventurous !! :)

mrSS · ‎08-09-2007

Jon Marshall...you are the man...adding the route statement worked!...I remember reading about this PIX not allowing traffic back out the same interface, but forgot all about it....

Thanks again!

Jon Marshall · ‎08-09-2007

No problem. Thanks for letting us know it worked and for the ratings.

Glad to be of help.

Jon

Jon Marshall · ‎08-12-2007

m