AnsweredAssumed Answered

Connections to remote site originating from SMB gateway

Question asked by Pedro Espindola on Mar 27, 2018
Latest reply on Mar 29, 2018 by Günther W. Albrecht

Like • Show 1 Like1
Comment • 3

Hello guys,

I am having an issue in which the SMB 1400 cannot access hosts (DNS, DHCP, NTP servers) on a remote network via site-to-site VPN. Connections originating from the internal hosts work great.

I have checked the advanced option "Use internal IP address for encrypted connections from local gate", but now connections are started with the SYNC interface IP address instead of an IP in the local encryption domain, so they are dropped before entering the VPN tunnel:

;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=1 10.231.149.2:2048 -> 172.16.1.2:29833 dropped by vpn_encrypt_chain Reason: No error;

How can I make this work correctly?

No one else has this question

Outcomes

Günther W. Albrecht Mar 28, 2018 3:43 AM

The question is hard as very few information is given:

- i would assume that this 1400 is locally managed (although it is an expensive 1400), as the Advanced Setting mentioned is only available when locally managed

- is "Disable NAT for this SIte" enabled in VPN Site definition ?

- how are the Encryption Domains defined ?

- what is the Error when the SMB 1400 cannot access hosts and where is the packet dropped ?

- which GW is the VPN peer and what do the logs show there ?

Actions

Pedro Espindola @ Günther W. Albrecht on Mar 28, 2018 1:02 PM

I'm sorry, I did omit a lot of information.

1. Yes, the appliance is locally managed.

2. NAT is disable for this site

3. Local encryption domain is manually set for 3 internal networks, which obviously does not include the cluster SYNC network.

4. The connections times out, zdebug shows:

;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=1 10.231.149.2:2048 -> 172.16.1.2:29833 dropped by vpn_encrypt_chain Reason: No error;

10.231.149.2 is the sync IP address and 172.16.1.2 is the host in the remote site.

5. Peers are AWS and Azure. I do not think there is any issue there. The packet simply won't get there, since the GW is using an IP that is not (and should not be) in the encryption domain.

Mainly, my question is: can I make the 1400 use an internal IP from a network that is in the encryption domain or do I have to redo all VPN site configs to include the SYNC network? (including AWS and Azure gws configs)

Actions

Günther W. Albrecht @ Pedro Espindola on Mar 29, 2018 12:03 AM

I would suggest to ask TAC for help !

Actions

3 Replies

Günther W. Albrecht Mar 28, 2018 3:43 AM
Mark Correct
Correct Answer
The question is hard as very few information is given:
- i would assume that this 1400 is locally managed (although it is an expensive 1400), as the Advanced Setting mentioned is only available when locally managed
- is "Disable NAT for this SIte" enabled in VPN Site definition ?
- how are the Encryption Domains defined ?
- what is the Error when the SMB 1400 cannot access hosts and where is the packet dropped ?
- which GW is the VPN peer and what do the logs show there ?
Like • Show 0 Likes0
Actions
- Pedro Espindola @ Günther W. Albrecht on Mar 28, 2018 1:02 PM
  Mark Correct
  Correct Answer
  I'm sorry, I did omit a lot of information.
  
  1. Yes, the appliance is locally managed.
  2. NAT is disable for this site
  3. Local encryption domain is manually set for 3 internal networks, which obviously does not include the cluster SYNC network.
  4. The connections times out, zdebug shows:
  ;[cpu_0];[fw4_0];fw_log_drop_ex: Packet proto=1 10.231.149.2:2048 -> 172.16.1.2:29833 dropped by vpn_encrypt_chain Reason: No error;
  10.231.149.2 is the sync IP address and 172.16.1.2 is the host in the remote site.
  5. Peers are AWS and Azure. I do not think there is any issue there. The packet simply won't get there, since the GW is using an IP that is not (and should not be) in the encryption domain.
  
  Mainly, my question is: can I make the 1400 use an internal IP from a network that is in the encryption domain or do I have to redo all VPN site configs to include the SYNC network? (including AWS and Azure gws configs)
  Like • Show 0 Likes0
  Actions
  - Günther W. Albrecht @ Pedro Espindola on Mar 29, 2018 12:03 AM
    Mark Correct
    Correct Answer
    I would suggest to ask TAC for help !
    Like • Show 0 Likes0
    Actions

Connections to remote site originating from SMB gateway

Outcomes

Related Content

Recommended Content