Cluster of SRXs have interface reth0.222 with ip 192.168.222.1/27.
In the same network we have SSL VPN MAG6611 with internal ip 192.168.222.30/27 and multiple servers on 192.168.222.4,5,6.../27 ip address.
SRXs have IPSec VPN to branch office with some servers ip address 192.168.223.6,7,8/24
Client connected to the SSL VPN receive ip from MAG device in scope from 10.10.10.26/24 to 10.10.10.126/24 Routing. SSL VPN have only one static routing to the default gateway which is SRXs Cluster on reth0.222 interface -> 192.168.222.1.
Servers in 192.168.222.0/27 have only default gateway in static routing to the same address like MAG -> 192.168.222.1
VPN clients can without any problem access to the servers in branch office. Any protocols works fine.
VPN clients can send ICMP or connect using WWW to the servers in 192.168.222.0/27 netoworks.
VPN client can't connect with servers from 192.168.222.0/27 using RDP or SMB protocols BUT if client on the computer connected with SSL VPN first send ICMP to some server from 192.168.222.0/27 after first icmp reply can connect this server using RDP,SMB,.. After some time (more second) if icmp is not sending and RDP is not active, posibility to connect using RDP, SMB disappears again. Solution - not completely. If We add on some server from 192.168.222.0/27 static routing like this: 10.10.10.0/24 next-hop 192.168.222.30 Problem disappear and RDP,SMB,.. works fine without ICMP.
We check ARP on SRX and on MAG and looks fine.
I understand, that there is some fundamental problem in our solution so please help me understand in which place routing not work properly and how to rebuild this to eliminate this problem in system way.
The issue appears to be some asymmetrical routing to the pool addresses you have setup on the SSL VPN. Adding the route to the server prevents the asymmetry with the firewall hop.
Options would be
Change the pool to be in the same address range as the SSL interface. I assume this is setup single arm on one interface.
Change to dual arm with the second interface on the SSL having your pool subnet and a gateway to your firewall on its own. Then your sessions will be from this zone/interface and fully symmetrical to all devices.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home