New to the SRX5308 and Site-to-Site VPN. I have used the wizard and believe that I have a successful tunnel between two SRX5308. I have done nothing other than run the wizard. I can ping across the tunnel to both the gateways and all devices on both sides.
Some devices are not working as expected across the tunnel. When troubleshooting the first symptom that I noticed is that tracert in both directions fails after the first hop (local gateway). Is this normal?
Thanks,
James
Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Make sure that the LAN IP Address range of the SRX5308 on Site A is different from the LAN IP Address range of the SRX5308 on Site B. For example, if the LAN IP Address range of the SRX5308 on Site A is 192.168.1.x then the LAN IP Address range of the SRX5308 on Site B should be 192.168.3.x (where x is a number from 1-254).
Kindly answer the questions below:
a. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of the SRX5308 on Site B and click the Ping button. Are you able to get replies?
b. On the web-GUI of the SRX5308 on Site A, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of a PC connected to the SRX5308 on Site B and click the Ping button. Are you able to get replies?
c. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of the SRX5308 on Site A and click the Ping button. Are you able to get replies?
d. On the web-GUI of the SRX5308 on Site B, go to Monitoring > Diagnostics. Then, check the box that says "Ping through a VPN tunnel?" and select the corresponding Gateway. Enter the LAN IP Address of a PC connected to the SRX5308 on Site A and click the Ping button. Are you able to get replies?
Note: As reference to the steps given to the above questions, kindly read page 388-389 of the SRX5308 reference manual here.
e. Is the modem connected to the SRX5308 (either Site A or Site B) a modem-only device or a modem-router combination?
f. What is the current firmware version of the SRX5308 on both sites? If ever it is not yet the latest version, I suggest you to update it to the latest version which is v4.3.5-3. Be sure to factory reset the SRX5308 right after upgrading the firmware then reconfigure the settings from scratch in order to start clean using the latest firmware version. Then, observe if the same problem will occur. You can download firmware v4.3.5-3 here.
Let me share the following articles below that might help:
Based from your answers, it seems that the VPN is all working fine.
Given the above facts should I be able to tracert successfully across the tunnel?
When connected to the VPN tunnel, it is as if you are connected within the same LAN from Site A to Site B and vice versa. Hence, tracert through the VPN tunnel will not indicate the number of hops.
Thanks again for the reply. I am wondering if the problematic devices are being hindered but a mask issue? Both ends are /24 and I used /24 in the traffic selection in the IPsec setup. Is this correct?
Thanks,
James
Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
I have read all the recommended pages and still have a few questions..
1. At the risk of sounding stupid, how do I view the firewall logs? Under Monitoring/Firewall Logs & Email/View Log I can see a log but it does not appear to contain any firewall related entries.
2. I have noticed that when using the Monitoring/Diagnostics and using ping though tunnel that pings fail to some devices. From a command prompt however all devices across the tunnel respond to pings. What might explain this discrepancy?
1. At the risk of sounding stupid, how do I view the firewall logs? Under Monitoring/Firewall Logs & Email/View Log I can see a log but it does not appear to contain any firewall related entries.
On the web-GUI of the SRX5308, go to Monitoring > Firewall Logs & E-mail. On the Routing Logs section, System Logs and Other Event Logs section, check the boxes of what you wanted to see when you view the logs.
2. I have noticed that when using the Monitoring/Diagnostics and using ping though tunnel that pings fail to some devices. From a command prompt however all devices across the tunnel respond to pings. What might explain this discrepancy?
It is possible that pings are not allowed. Kindly check if there is a rule to allow pings (ICMP Echo Requests) on the devices you are referring to. Let me share these links below that I found online and use it as reference guides:
Item a. I have checked all the boxes but the log is still very brief. Would it help for me to forward to you?
Item b. I have read the relevant pages you suggested. However, they are not relevant in my case as from the command prompt all devices ping successfully. Only through the dignostics interface do some fail. Windows firewall would not be involved in my case.
You may want to open a chat or online support ticket with the NETGEAR Support Team and attach the logs so that it will be forwarded to the engineering team for it to be analyzed.
Kindly try to use another WAN port of the SRX5308 on both Site A and Site B. Then, set up a VPN tunnel using the VPN Wizard as well. Check if the same problem will occur. You may want to perform a factory reset on both SRX5308 then reconfigure the setting from scratch and observe.
Thanks for your help so far. One last question however. Is traffic on the site-to-site VPN runnning behind the firewall such that all ports both UDP and TCP be unrestricted by default? In other words VPN traffic should not affected by firewall rules?
