topic Re: VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP in SASE and Remote Access

VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP

LifeisGood — Tue, 11 Jun 2024 15:13:44 GMT

Hello,

We have a CP VPN connected to CP FW. There is a DMZ (10.10.6.0/24 with 10.10.6.10 as the DMZ interface IP) on the FW. My VPN client got a route from the VPN gateway to route everything to the VPN gateway's external interface (84.84.84.11). See attached topology for details.

My VPN client can reach the DMZ interface IP on the FW (10.10.6.10). However, the client cannot reach any IPs (e.g. 10.10.6.38) in the DMZ subnet. If I add a host route on the VPN appliance (10.10.6.38/32 --> 10.10.6.10), then the VPN client can reach the host. Could someone help me understand why I have to add host route and how to avoid add 200+ host route for the DMZ hosts?

Re: VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP

PhoneBoy — Tue, 11 Jun 2024 18:33:24 GMT

Did you configure the Remote Access Encryption Domain to include the relevant DMZ networks?

Re: VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP

Duane_Toler — Tue, 11 Jun 2024 21:05:04 GMT

Is the VPN gateway 1 hop behind the firewall gateway? Or is it parallel, with the VPN gateway's external interface sharing the same subnet as the firewall gateway? Your network addressing makes it look parallel. Your diagram also suggests the VPN gateway's internal interface has to pass traffic back through the firewall gateway on another interface (which is fine).

In addition to the message from PhoneBoy (check his suggestion first), this also sounds like you are missing a return route on the firewall gateway for the office mode subnet (172.10.0/22). I suspect your firewall gateway, or perhaps the VPN gateway, is performing NAT and you aren't expecting it. The firewall gateway will see source IP packets of 172.10.0.0/22, so they need to be returned to the VPN gateway. You can see this with fw monitor. You can run this command on both gateways, which will give you a hint:

fw monitor -F 172.20.1.2,0,0,0,0 -F 0,0,172.20.1.2,0,0

You can also check your logs and you will see if NAT is being applied.

Similarly, make sure your interior network (10.10.6.0/24) has either a default route, or some type of route, to also send packets for 172.20.0.0/22 back to the firewall gateway.

Re: VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP

LifeisGood — Tue, 11 Jun 2024 21:43:51 GMT

Yes.

Re: VPN client cannot not reach host in a subnet, but can reach the subnet's Layer 3 interface IP

LifeisGood — Tue, 11 Jun 2024 21:49:10 GMT

Per CP Support, FW and VPN appliances share interfaces, and all the addresses in those shared subnets on the FW side are considered in the same layer 2 network. That's why the class C route I put in place does not do anything and more specific host routes are working fine. The workaround is to break class C into specific /25 routes. This work around worked. Thank you all for your input.