topic Re: Corporate Access - Users to Data center (Network) Unsuccessful in SASE and Remote Access

Corporate Access - Users to Data center (Network) Unsuccessful

chethan_m — Tue, 20 Jun 2023 03:53:39 GMT

Hi Everyone,

I am practicing Harmony Connect on my Home lab and I have setup the Harmony connect for corporate access for users to access the internal resources. I'm following the admin guide for deployment.

Installed Ubuntu Server - Successful.
Installed docker engine on the ubuntu server - Successful.
Created a data center on Infinity portal and copied the connecter command - Successful.
Installed the connector on the docker engine - Successful. -> Verified the IPsec VPN tunnels are successfully established between the cloud controller and the gateway (docker logs -f <connector-id> | grep -w tunnel) - Successful.
Created a trusted user/device and installed the harmony connect client on the user machine - Successful.
Both the secure network access and internet access are connected on the Harmony Connect App - Successful.
Created the Network Access Control polices for (any source -> internal n/w) and installed the policy - Successful.
Verified that bypass network doesn't overlap the internal n/w in focus - Successful.
Traffic is sent via harmony connect virtual adapter towards its gateway on the connect client application (verified on wireshark) but the connection is not established, and I do not see any traffic on the connector side towards the destination (Internal resource) as well - Unuccessful.

In my virtual environment. This is how the network is:

Internet <--> VNET <interface1> Ubuntu Server Host/Docker [Connector] <interface2> <--> Ubuntu Web Server.

Things I need to know is:

Must the Docker and the Internal resources be on the same sub-network, or can it be on different network?
Should I point the gateway of my internal resources towards the docker interface or not?

I will share any logs or screenshots if necessary.

Regards,

Chethan

Re: Corporate Access - Users to Data center (Network) Unsuccessful

Chris_Atkinson — Tue, 20 Jun 2023 14:46:02 GMT

The answer to both is no as far as I'm aware.

Different subnets can be used and the internal resources should not be using the docker/connector as their default gateway.

Re: Corporate Access - Users to Data center (Network) Unsuccessful

chethan_m — Tue, 20 Jun 2023 18:43:37 GMT

Thanks for the information.

My Clientless Corporate Application sites (HTTP & SSH) for the same destination are working without any problem. I'm facing issue with Network Access only. I don't know which configuration I'm missing out. Will update the same.

Re: Corporate Access - Users to Data center (Network) Unsuccessful

Andy_P — Wed, 26 Jul 2023 19:57:27 GMT

Hi.

1) Please check that you don't have network in bypass configuration for HC agent.

Harmony Connect App > setting > Harmony Connect agent > Bypass destinations.

2) You should also have traffic allowed in Network Access policy.

3) Check that you can proper connectivity mode for HC agent

4) Check that network where connector is connected and all other networks you plan to reach are included in DC object.

If it won't help please contact me.

Re: Corporate Access - Users to Data center (Network) Unsuccessful

chethan_m — Fri, 28 Jul 2023 11:05:23 GMT

Hi Andy,

Thanks for the reply.

The problem was not with our configuration. ICMP was working fine, we raised a TAC ticket and they had to change the MTU size on the Harmony Connect cloud gateways which then resolved the issue.

Regards,

Chethan