Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  [SOLVED] Can't ping dialup VPN hosts from Trust zone

    Posted 07-05-2012 09:43

    Hi everyone,

    I've put in a new SSG520 (6.3.0r11.0) and have some remote users connected via a Dialup VPN. There are several remote users who are configured to have a static IP address. Hosts within the Trust zone need to be able to initiate connections with these remote connected hosts. While the remotely connected hosts have no problem communicating with the Trust zone, the hosts within the Trust zone cannot initiate a connection with the remote connected systems.

    If you need portions of the config just let me know what you're interested in as I'd rather not dump the whole config in this initial post. As far as I know this might just be some limitation with SSG. With regards to policy, currently I've added and any any rule for a host within the Trust zone to the dialup user zone so policy shouldn't be blocking.

    Any help or advice would be appreciated!



  • 2.  RE: [SOLVED] Can't ping dialup VPN hosts from Trust zone

    Posted 07-06-2012 06:41

    Hi,

     

    Do you have a policy based or a route based VPN?



  • 3.  RE: [SOLVED] Can't ping dialup VPN hosts from Trust zone

    Posted 07-06-2012 08:49

    Hi Edouard,

     

    Thanks for the reply. This is a route based VPN. Let me know if you need any other information and I'll be happy to provide it.



  • 4.  RE: [SOLVED] Can't ping dialup VPN hosts from Trust zone

    Posted 07-06-2012 18:54

    Hi,

     

    Can you share the routing information of the config.

    Also, please mention the proxyids configured on VPN.

     

    Regards.

    Hardeep



  • 5.  RE: [SOLVED] Can't ping dialup VPN hosts from Trust zone
    Best Answer

    Posted 07-09-2012 01:21

    Hi,

     

    The proxy ID that contains the dial up address object (255.255.255.255/32) and the IP of the monitoring host should be up before you start ping. The host in the LAN  that sends pings cannot bring this proxy ID up. The client should send at least a packet to activate the SA.



  • 6.  RE: [SOLVED] Can't ping dialup VPN hosts from Trust zone

    Posted 07-09-2012 05:25

    Hi everyone,

     

    Thanks so much for the help. I was hoping it was something small I've missed and I think echidov was right. Every time I tested I would connect the client and then try to ping that client from the internal network which would fail. Then I'd go back and ping from the connected client and wonder why traffic would only flow in one direction.

     

    If I ping from the connected client to bring up the SA, then try to access the conencted client from the internal network everything would work. Small little detail that the internal network can't bring up the SA, but one I won't forget any time soon.

     

    Thanks for the help everyone. 🙂



  • 7.  RE: [SOLVED] Can't ping dialup VPN hosts from Trust zone

    Posted 07-09-2012 06:08

    Hi,

     

    Many VPN clients can automatically start a command/application/script etc. as soon as a connection has been established. You can add such a script to send a couple of pings and the SA will be always started on the client site.



  • 8.  RE: [SOLVED] Can't ping dialup VPN hosts from Trust zone

    Posted 07-11-2012 15:03

    Sounds good, thanks again for the help!