04-06-2012 10:49 AM
In the attached setup (Site-to-Site IPSec VPN for Overlapping Subnets at one Branch and HO site ) , traffic is passing between branches and HO with out any issues. But while I do traceroute , I don't see t the ip addresses of st0 units at these two sites ,for these two I get "request timed out" . SRX Flow trace shows that SRX sending ICMP Type 11,Code 0 (TTL expiry) message, but that is not seen back at the initiating PC.
Between non-overlapping branch site and HO , traceroute works fine . I have similar configuration with respect to host-inbound-traffic and suspected security policy issue ( to allow the ICMP error message ) at the intermediate SRXs and for testing purpose,I have enabled default-policy permit-all ,but of no use.
Any ideas ? Thanks in advance .
04-12-2012 11:15 PM
Hi, I don't see any issue while doing traceroute on overlapping subnets through the tunnel on my testbed. Can you try traceroute from Branch1 to the 10.10.10.2 with source as branch lan conected interface which is trust and see.
04-13-2012 04:25 AM
Thank you Venu for testing this and replying . Actually , in my set up st0.0 on the HO site is in a virtual-router . is it the same in your case also ?
I have attached my complete configuration (of all 3 sites - Branch 1, Branch 2 and HO) . Could you please check ?
thanks once again .