NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

JamesN33's avatar
JamesN33
Aspirant
Aug 31, 2018

SRX 5308 Site-to-Site VPN not fully working

Hi all,   New to the SRX5308 and Site-to-Site VPN.   I have used the wizard and believe that I have a successful tunnel between two SRX5308.  I have done nothing other than run the wizard.  I can...
Troubleshooting
DaneA's avatar
DaneA
NETGEAR Employee Retired
Sep 03, 2018

Hi JamesN33,

 

Welcome to the community! :) 

 

Make sure that the LAN IP Address range of the SRX5308 on Site A is different from the LAN IP Address range of the SRX5308 on Site B.  For example, if the LAN IP Address range of the SRX5308 on Site A is 192.168.1.x  then the LAN IP Address range of the SRX5308 on Site B should be 192.168.3.x (where x is a number from 1-254).

 

Kindly answer the questions below:  

 

a. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics.  Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway.  Enter the LAN IP Address of the SRX5308 on Site B and click the Ping button.  Are you able to get replies? 

 

b. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics.  Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway.  Enter the LAN IP Address of a PC connected to the SRX5308 on Site B and click the Ping button.  Are you able to get replies? 

 

c. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics.  Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway.  Enter the LAN IP Address of the SRX5308 on Site A and click the Ping button.  Are you able to get replies? 

 

d. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics.  Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway.  Enter the LAN IP Address of a PC connected to the SRX5308 on Site A and click the Ping button.  Are you able to get replies? 

 

Note: As reference to the steps given to the above questions, kindly read page 388-389 of the SRX5308 reference manual here

 

e. Is the modem connected to the SRX5308 (either Site A or Site B) a modem-only device or a modem-router combination? 

 

f. What is the current firmware version of the SRX5308 on both sites?  If ever it is not yet the latest version, I suggest you to update it to the latest version which is v4.3.5-3.  Be sure to factory reset the SRX5308 right after upgrading the firmware then reconfigure the settings from scratch in order to start clean using the latest firmware version.  Then, observe if the same problem will occur.  You can download firmware v4.3.5-3 here.

 

Let me share the following articles below that might help:

 

Configuring a Box to Box VPN on ProSAFE/ProSECURE routers using the VPN Wizard

 

Configure IPSec VPN Tunnels With the Wizard - read pages 3 to 5

 

 

Regards,

 

DaneA

NETGEAR Community Team

JamesN33's avatar
JamesN33
Aspirant
Sep 04, 2018

DaneA-

 

Thanks for your reply.  Here is the info you requested..

 

The address ranges on both routers are different.

RouterA 192.168.70.0/24

RouterB 192.168.80.0/24

 

a. Yes

b. Yes

c. Yes

d. Yes

e. Each router is connected to ISP provided cable modem.

f. Firmware is current

 

I have also read the pages you suggested and the tunnel was created with the wizard as outlined in those pages.

 

Given the above facts should I be able to tracert successfully across the tunnel?

 

Thanks,

James

 

 

 

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired
    Sep 05, 2018

    JamesN33,

     

    Based from your answers, it seems that the VPN is all working fine.  

     

    Given the above facts should I be able to tracert successfully across the tunnel?

    When connected to the VPN tunnel, it is as if you are connected within the same LAN from Site A to Site B and vice versa.  Hence, tracert through the VPN tunnel will not indicate the number of hops.  

     

     

    Regards,

     

    DaneA
    NETGEAR Community Team

    • JamesN33's avatar
      JamesN33
      Aspirant
      Sep 05, 2018

      DaneA- 

       

      Thanks again for the reply.  I am wondering if the problematic devices are being hindered but a mask issue?  Both ends are /24 and I used /24 in the traffic selection in the IPsec setup.  Is this correct?

       

      Thanks,

      James

       

        

      • DaneA's avatar
        DaneA
        NETGEAR Employee Retired
        Sep 06, 2018

        JamesN33,

         

        I am wondering if the problematic devices are being hindered but a mask issue?  

        You may check the VPN Logs.  Kindly refer to pages 339-443 on the SRX5308 user manual here about IPSec VPN Logs. 

         

        Both ends are /24 and I used /24 in the traffic selection in the IPsec setup.  Is this correct?

        Yes,  this is correct.  

         

         

        Regards,

         

        DaneA
        NETGEAR Community Team

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More