RDP works only if ping was running first.

[ Edited ]
‎02-10-2017 02:51 AM


Cluster of SRXs have interface reth0.222 with ip

In the same network we have SSL VPN MAG6611 with internal ip and multiple servers on,5,6.../27 ip address. 

SRXs have IPSec VPN to branch office with some servers ip address,7,8/24

Client connected to the SSL VPN receive ip from MAG device in scope from to
SSL VPN have only one static routing to the default gateway which is SRXs Cluster on reth0.222 interface ->

Servers in have only default gateway in static routing to the same address like MAG ->


VPN clients can without any problem access to the servers in branch office. Any protocols works fine.

VPN clients can send ICMP or connect using WWW to the servers in netoworks.

VPN client can't connect with servers from using RDP or SMB protocols BUT if client on the computer connected with SSL VPN first send ICMP to some server from after first icmp reply can connect this server using RDP,SMB,..
After some time (more second) if icmp is not sending and RDP is not active, posibility to connect using RDP, SMB disappears again.
Solution - not completely.
If We add on some server from static routing like this: next-hop
Problem disappear and RDP,SMB,.. works fine without ICMP.

We check ARP on SRX and on MAG and looks fine.


I understand, that there is some fundamental problem in our solution so please help me understand in which place routing not work properly and how to rebuild this to eliminate this problem in system way.

View of netowrk attached.




Re: RDP works only if ping was running first.

‎02-10-2017 03:09 AM

The issue appears to be some asymmetrical routing to the pool addresses you have setup on the SSL VPN.  Adding the route to the server prevents the asymmetry with the firewall hop.


Options would be


Change the pool to be in the same address range as the SSL interface.  I assume this is setup single arm on one interface.


Change to dual arm with the second interface on the SSL having your pool subnet and a gateway to your firewall on its own.  Then your sessions will be from this zone/interface and fully symmetrical to all devices.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)