Create a Post
Showing results for 
Search instead for 
Did you mean: 

Connections to remote site originating from SMB gateway

Hello guys,

I am having an issue in which the SMB 1400 cannot access hosts (DNS, DHCP, NTP servers) on a remote network via site-to-site VPN. Connections originating from the internal hosts work great.

I have checked the advanced option "Use internal IP address for encrypted connections from local gate", but now connections are started with the SYNC interface IP address instead of an IP in the local encryption domain, so they are dropped before entering the VPN tunnel:

;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=1 -> dropped by vpn_encrypt_chain Reason: No error;

How can I make this work correctly?

3 Replies

The question is hard as very few information is given:

- i would assume that this 1400 is locally managed (although it is an expensive 1400), as the Advanced Setting mentioned is only available when locally managed

- is "Disable NAT for this SIte" enabled in VPN Site definition ?

- how are the Encryption Domains defined ?

- what is the Error when the SMB 1400 cannot access hosts and where is the packet dropped ?

- which GW is the VPN peer and what do the logs show there ?

0 Kudos

I'm sorry, I did omit a lot of information.

1. Yes, the appliance is locally managed.

2. NAT is disable for this site

3. Local encryption domain is manually set for 3 internal networks, which obviously does not include the cluster SYNC network.

4. The connections times out, zdebug shows:

;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=1 -> dropped by vpn_encrypt_chain Reason: No error; is the sync IP address and is the host in the remote site.

5. Peers are AWS and Azure. I do not think there is any issue there. The packet simply won't get there, since the GW is using an IP that is not (and should not be) in the encryption domain.

Mainly, my question is: can I make the 1400 use an internal IP from a network that is in the encryption domain or do I have to redo all VPN site configs to include the SYNC network? (including AWS and Azure gws configs)

0 Kudos

I would suggest to ask TAC for help !

0 Kudos