0

I'm experiencing a rather weird problem.

I have a VPN up between two sites. The VPN connects via two SSG140 Firewalls. It was working fine for about a year and yesterday it just stopped function properly.

   Site A VPN ---------------------------------------------Site B VPN

   External Interface : 1.1.1.1                           External Interface : 2.2.2.2

   Protected Interface : 192.168.10.1                     Protected Interface : 192.168.20.1                              

   Internal network : 192.168.10.0/24                     Internal network : 192.168.20.0/24 

   Server A : 192.168.10.40                               Server B : 192.168.20.41

At the moment I can Ping / RDP from server A to server B , If I attemp to ping server A from Server B it times out.

Actions I have taken so far :

Recreate the VPN. Recreate route : Site a 192.168.20/0 GW:Tunnel.1 and visa - verse Recreate policy s to allow any traffic from External to Internal for Ip range 192.168.20.0 and visa verse

I am stuck.

Hope you guys can help me.

Thanks. :)

Barnz
  • 3
  • 3

1 Answers1

0

There's only really one thing that would make a working policy like this stop working: something changed.

Since you're able to establish connectivity from server A to server B, but the opposite direction fails, this points quite clearly to a policy rule on one side of the VPN link, or a firewall has been enabled on the servers somewhere, possibly on server A.

Check that you have the correct rules in place on the VPN endpoints.

Try enabling debugging on the SSGs and attempting to establish an RDP or other TCP based session.

From memory the SSG140s run ScreenOS so you might want to take a look at this page on debugging flows through SSG

pobk
  • 275
  • 1
  • 7
  • Sounds a lot like http://serverfault.com/questions/521928/cannot-ping-b-from-a-until-b-pings-a – Sirch Jul 11 '13 at 13:04
  • Nope it's not. The other question is about 2 servers on the SAME subnet, whereas these servers are physically disparate subnets. Interconnected via VPN. – pobk Jul 11 '13 at 13:08
  • I fixed it yesterday by deleting the route based VPN and configuring a Policy based VPN between the sites. Removed the 192.168.20.0/24 tunnel route and it worked. Still not sure what the exact cause of the problem was. Like I said I did not make any changes to those firewalls. Thanks for the reply pobk. – Barnz Jul 12 '13 at 06:43