Hi all, New to the SRX5308 and Site-to-Site VPN. I have used the wizard and believe that I have a successful tunnel between two SRX5308. I have done nothing other than run the wizard. I can ping across the tunnel to both the gateways and all devices on both sides. Some devices are not working as expected across the tunnel. When troubleshooting the first symptom that I noticed is that tracert in both directions fails after the first hop (local gateway). Is this normal? Thanks, James

Hi JamesN33, Welcome to the community! :) Make sure that the LAN IP Address range of the SRX5308 on Site A is different from the LAN IP Address range of the SRX5308 on Site B. For example, if the LAN IP Address range of the SRX5308 on Site A is 192.168.1.x then the LAN IP Address range of the SRX5308 on Site B should be 192.168.3.x (where x is a number from 1-254). Kindly answer the questions below: a. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of the SRX5308 on Site B and click the Ping button. Are you able to get replies? b. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of a PC connected to the SRX5308 on Site B and click the Ping button. Are you able to get replies? c. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of the SRX5308 on Site A and click the Ping button. Are you able to get replies? d. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of a PC connected to the SRX5308 on Site A and click the Ping button. Are you able to get replies? Note: As reference to the steps given to the above questions, kindly read page 388-389 of the SRX5308 reference manual here. e. Is the modem connected to the SRX5308 (either Site A or Site B) a modem-only device or a modem-router combination? f. What is the current firmware version of the SRX5308 on both sites? If ever it is not yet the latest version, I suggest you to update it to the latest version which is v4.3.5-3. Be sure to factory reset the SRX5308 right after upgrading the firmware then reconfigure the settings from scratch in order to start clean using the latest firmware version. Then, observe if the same problem will occur. You can download firmware v4.3.5-3 here. Let me share the following articles below that might help: Configuring a Box to Box VPN on ProSAFE/ProSECURE routers using the VPN Wizard Configure IPSec VPN Tunnels With the Wizard - read pages 3 to 5 Regards, DaneA NETGEAR Community Team

DaneA- Thanks for your reply. Here is the info you requested.. The address ranges on both routers are different. RouterA 192.168.70.0/24 RouterB 192.168.80.0/24 a. Yes b. Yes c. Yes d. Yes e. Each router is connected to ISP provided cable modem. f. Firmware is current I have also read the pages you suggested and the tunnel was created with the wizard as outlined in those pages. Given the above facts should I be able to tracert successfully across the tunnel? Thanks, James

JamesN33, Based from your answers, it seems that the VPN is all working fine. Given the above facts should I be able to tracert successfully across the tunnel? When connected to the VPN tunnel, it is as if you are connected within the same LAN from Site A to Site B and vice versa. Hence, tracert through the VPN tunnel will not indicate the number of hops. Regards, DaneA NETGEAR Community Team

DaneA- Thanks again for the reply. I am wondering if the problematic devices are being hindered but a mask issue? Both ends are /24 and I used /24 in the traffic selection in the IPsec setup. Is this correct? Thanks, James

JamesN33, I am wondering if the problematic devices are being hindered but a mask issue? You may check the VPN Logs. Kindly refer to pages 339-443 on the SRX5308 user manual here about IPSec VPN Logs. Both ends are /24 and I used /24 in the traffic selection in the IPsec setup. Is this correct? Yes, this is correct. Regards, DaneA NETGEAR Community Team

SRX 5308 Site-to-Site VPN not fully working

11 Replies

Replies have been turned off for this discussion

DaneA
NETGEAR Employee Retired
Sep 03, 2018
Hi JamesN33,

Welcome to the community! :)

Make sure that the LAN IP Address range of the SRX5308 on Site A is different from the LAN IP Address range of the SRX5308 on Site B. For example, if the LAN IP Address range of the SRX5308 on Site A is 192.168.1.x then the LAN IP Address range of the SRX5308 on Site B should be 192.168.3.x (where x is a number from 1-254).

Kindly answer the questions below:

a. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of the SRX5308 on Site B and click the Ping button. Are you able to get replies?

b. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of a PC connected to the SRX5308 on Site B and click the Ping button. Are you able to get replies?

c. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of the SRX5308 on Site A and click the Ping button. Are you able to get replies?

d. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of a PC connected to the SRX5308 on Site A and click the Ping button. Are you able to get replies?

Note: As reference to the steps given to the above questions, kindly read page 388-389 of the SRX5308 reference manual here.

e. Is the modem connected to the SRX5308 (either Site A or Site B) a modem-only device or a modem-router combination?

f. What is the current firmware version of the SRX5308 on both sites? If ever it is not yet the latest version, I suggest you to update it to the latest version which is v4.3.5-3. Be sure to factory reset the SRX5308 right after upgrading the firmware then reconfigure the settings from scratch in order to start clean using the latest firmware version. Then, observe if the same problem will occur. You can download firmware v4.3.5-3 here.

Let me share the following articles below that might help:

Configuring a Box to Box VPN on ProSAFE/ProSECURE routers using the VPN Wizard

Configure IPSec VPN Tunnels With the Wizard - read pages 3 to 5

Regards,

DaneA

NETGEAR Community Team
- JamesN33
  Aspirant
  Sep 04, 2018
  DaneA-
  
  Thanks for your reply. Here is the info you requested..
  
  The address ranges on both routers are different.
  
  RouterA 192.168.70.0/24
  
  RouterB 192.168.80.0/24
  
  a. Yes
  
  b. Yes
  
  c. Yes
  
  d. Yes
  
  e. Each router is connected to ISP provided cable modem.
  
  f. Firmware is current
  
  I have also read the pages you suggested and the tunnel was created with the wizard as outlined in those pages.
  
  Given the above facts should I be able to tracert successfully across the tunnel?
  
  Thanks,
  
  James
  - DaneA
    NETGEAR Employee Retired
    Sep 05, 2018
    JamesN33,
    
    Based from your answers, it seems that the VPN is all working fine.
    
    Given the above facts should I be able to tracert successfully across the tunnel?
    
    When connected to the VPN tunnel, it is as if you are connected within the same LAN from Site A to Site B and vice versa. Hence, tracert through the VPN tunnel will not indicate the number of hops.
    
    Regards,
    
    DaneA
    NETGEAR Community Team
DaneA
NETGEAR Employee Retired
Sep 10, 2018
JamesN33,

You may want to open a chat or online support ticket with the NETGEAR Support Team and attach the logs so that it will be forwarded to the engineering team for it to be analyzed.

Kindly try to use another WAN port of the SRX5308 on both Site A and Site B. Then, set up a VPN tunnel using the VPN Wizard as well. Check if the same problem will occur. You may want to perform a factory reset on both SRX5308 then reconfigure the setting from scratch and observe.

Regards,

DaneA

NETGEAR Community Team
- JamesN33
  Aspirant
  Sep 12, 2018
  DaneA-
  
  Thanks for your help so far. One last question however. Is traffic on the site-to-site VPN runnning behind the firewall such that all ports both UDP and TCP be unrestricted by default? In other words VPN traffic should not affected by firewall rules?
  
  Thanks,
  
  James
- DaneA
  NETGEAR Employee Retired
  Sep 12, 2018
  JamesN33,
  
  Yes, the VPN traffic should not be affected by the firewall rules. Firewall rules are meant for LAN/WAN traffic.
  
  Regards,
  
  DaneA
  
  NETGEAR Community Team

Forum Discussion

SRX 5308 Site-to-Site VPN not fully working

11 Replies

Related Content

PR60X Site to Site IPSEC Site to Site VPN frequently drops and will not restart automatically

R6220 Supports Site-to-Site VPN?

IPSec site to site Verbindung BR200 - Devices nicht erreichbar

Site to site iPSec VPN with two BR500 VPN router

IPSec site-to-site with multiple VLANS

NETGEAR Academy

ProSupport for Business