Screen OS

SSG550 routing problem.  A tunnel is established between a SSG550(local) and SSG20(remote).  For days everything works fine, then some addresses on the remote network behind the SSG20 are not reachable.  They can be pinged from the SSG20 but not from the SSG550 or the local network.  A trace route to the remote unreachable address will bounce between the trusted interface on the SSG550 and the local router.  A trace route to another device on the same remote network will work correctly.  A trace route to an ip address that is not used on the remote network will time out correctly.  One time the problem cleared up on its own the most recent event was corrected by resetting the SSG550.

Any ideas?

Hi,

Looks like the session could be getting corrupt for those IP addresses.

Is it route based VPN?

Check the routing table and the sessions for the failing IP when the issue occurs?

Regards.

Hardeep

It's policy based and it just went down again.  The route looks good.  I can ping device from remote ssg20 but when i ping from local ssg550 &&&&& is returned.  Devices on the same subnet can be pinged from local ssg550 or workstations.  A get session showed no problems but I cleared the sessions for the remote device but it didn't help.

Tom

The local ssg550 had routes to the remote network in trust and untrust VR.  Route in untrust-vr had a preference of 20.  Not sure how or why they were added to the untrust-vr but removing them fixed the problem.  I don't understand why it only affected a few devices on the same subnet randomly.

Tom