ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Routing change from tunnel to a direct link issue

‎01-20-2019 05:33 PM

Hi All,

 

Existing setting:

HQ and the remote office are using site-to-site VPN to communicate. 96.0/20 traffic are routed via eth1/3.1 via the tunnel to remote site office.

192.168.96.0/20  <NS eth1/3.1> <ISP>......Site-to-Site VPN.....<ISP><eth0/2 NS> 192.168.130.0/24

 

New Setting:

We have added a new link (Fiber) and want to reroute those VPN traffic to the new Fiber.

192.168.96.0/20   <NS eth1/3.1><ISP>.........................................<ISP><eth0/2 NS> 192.168.130.0/24

                                <NS eth1/5><ISP>....................Fiber................<ISP><eth0/1 NS> 192.168.130.0/24

 

Issue:

HQ has implementated PBR with a 192.168.0.0/16. I added a more specific route 192.168.130.0/24 before this. HQ traffic cannot ping to the remote site after disable the tunnel.

 

1. Confirm the new link interface can be pinged on both netscreen.

2. HQ PC (192.168.98.82) cannot ping to FW new interface 192.168.230.1 and remote site interface 192.168.230.2.

3. RS PC (192.168.130.121) can ping to new interface 192.168.230.2 and remote site interface 192.168.230.1.

4. Tried to put the policy before pol-trust No 10 and found traffic were routed to Internet. (by tracroute)

5. Tried to put the policy after pol-trust No 10 and before 40, traffic are only shown '*' (by traceroute)

6. Tried to add a static route 192.168.130.0/24 next hop 192.168.230.2/29

7. Confirmed VPN tunnel is down when we were doing the re-route.

 

Attachments

3 REPLIES 3
ScreenOS Firewalls (NOT SRX)

Re: Routing change from tunnel to a direct link issue

‎01-20-2019 05:34 PM

Here are some of the HQ and Remote Site Interface list and Routing table

Attachments

ScreenOS Firewalls (NOT SRX)

Re: Routing change from tunnel to a direct link issue

‎01-20-2019 08:07 PM

Could someone help?

ScreenOS Firewalls (NOT SRX)

Re: Routing change from tunnel to a direct link issue

‎01-20-2019 10:52 PM

Hi,

 

The config looks OK, ACL 9 should be hit before 6 and 7.

Can you collect a flow debug on HQ box while attempting the internal ping?

 

clear db

unset ff (repeat till you see a message - Invalid ID)

set ff src-ip <laptop ip> dst-ip 192.168.230.1

set ff src-ip 192.168.230.1 dst-ip <laptop ip>

debug flow basic

<<Run the ping test>>

undebug all

get db st

 

The last command will print the debug trace, please share it.

Regards,
Gokul