Hello!
I'm running into a strange issue with some of my company's sites. Traffic flowing in over one specific gateway is not getting to its destination. Everything else seems to be working.
Let me outline the current layout of our network, as best I can.
We have three sites across the country, connected via IPsec VPNs. Let's call them Primary Site, Subsite 1, and Subsite 2. They all have their own IP address ranges.
Primary Site is configured to use IP address range 192.168.1., Subsite 1 uses 192.168.10., and Subsite 2 uses 192.168.20.*.
In the Primary Site, we have three gateways leading to the internet(different ISPs), that will eventually be pared down. The three gateways are 192.168.1.1(Netgear), 192.168.1.3(Juniper), and 192.168.1.4(Netgear).
Currently, we have a IPSec VPN tunnel to Subsite 1 connected to 1.4, and another tunnel connected to Subsite 2 on 1.1.
We have static routes set up on both Netgear devices, as well as the Juniper device, for directing traffic to the proper VPN gateways. People in Primary Site are able to access all machines in either Subsite, and people in either Subsite are able to access most of the machines in the Primary Site. This is where the issue comes in.
In Primary Site, we have many of our machines using 1.4 as a default gateway, and some of them using 1.3, with the eventual plan to have all of them using 1.3 as the default.
We have recently noticed that machines that have 1.3 as their default gateway are able to establish connections to machines in either subsite successfully, but trying to establish the same connection from the other end fails. For example, machines in Primary Site are able to use VNC to connect to Subsite machines, but those same Subsite machines are not able to VNC back to the same machines in the Primary Site.
If we set the default gateway on those machines to be either 1.1 or 1.4, connections are able to be established successfully in both directions.
We have static routes set up on both Netgear gateways, pointing to each other for the other VPN route. (Route for .10.* set up on 1.1 pointing to 1.4, route for .20.* set up on 1.4, pointing to 1.1)
We have static routing entries set up on the Juniper(1.3). .20.0/24 has next-hop set to 1.1, and .10.0/24 has next-hop set to 1.4.
With all of this in place, I am currently unable to understand why traffic is able to flow from 1.3 to either subsite successfully, but not the other way around. I'm guessing it's a configuration issue on the Juniper that I'm not aware of, but I'm uncertain.
Does anyone have any advice on what to look at next?
Thank you very much!
No comments:
Post a Comment