HQ and the remote office are using site-to-site VPN to communicate. 96.0/20 traffic are routed via eth1/3.1 via the tunnel to remote site office.
192.168.96.0/20 <NS eth1/3.1> <ISP>......Site-to-Site VPN.....<ISP><eth0/2 NS> 192.168.130.0/24
We have added a new link (Fiber) and want to reroute those VPN traffic to the new Fiber.
192.168.96.0/20 <NS eth1/3.1><ISP>.........................................<ISP><eth0/2 NS> 192.168.130.0/24
<NS eth1/5><ISP>....................Fiber................<ISP><eth0/1 NS> 192.168.130.0/24
HQ has implementated PBR with a 192.168.0.0/16. I added a more specific route 192.168.130.0/24 before this. HQ traffic cannot ping to the remote site after disable the tunnel.
1. Confirm the new link interface can be pinged on both netscreen.
2. HQ PC (192.168.98.82) cannot ping to FW new interface 192.168.230.1 and remote site interface 192.168.230.2.
3. RS PC (192.168.130.121) can ping to new interface 192.168.230.2 and remote site interface 192.168.230.1.
4. Tried to put the policy before pol-trust No 10 and found traffic were routed to Internet. (by tracroute)
5. Tried to put the policy after pol-trust No 10 and before 40, traffic are only shown '*' (by traceroute)
6. Tried to add a static route 192.168.130.0/24 next hop 192.168.230.2/29
7. Confirmed VPN tunnel is down when we were doing the re-route.
Here are some of the HQ and Remote Site Interface list and Routing table
Could someone help?
The config looks OK, ACL 9 should be hit before 6 and 7.
Can you collect a flow debug on HQ box while attempting the internal ping?
unset ff (repeat till you see a message - Invalid ID)
set ff src-ip <laptop ip> dst-ip 192.168.230.1
set ff src-ip 192.168.230.1 dst-ip <laptop ip>
debug flow basic
<<Run the ping test>>
get db st
The last command will print the debug trace, please share it.
© 1999 - 2019 Juniper Networks, Inc.
All rights reserved