Ok, here is some background:
- We are running a cluster of SA4500's, which is using a 192.168.70.x subnet.
- We have two networks with their own dedicated internet circuits. Network "A" is our main corporate network and Network B is a blackbox network.
- We are using Juniper to sit between network A and B. We have it configured to allow corporate traffic to flow in and out A's internet circuit, while B's traffic flows out the other internet circuit.
-We also have two realms configured to seperate the rules. We have a realm that is tied to the corporate network which is pretty much open. The second realm goes to Network B and uses SVW and uses address pools for two different types of roles.
- We have a small handfull of users that use one address pool, and everyone else that logs into this realm another.
- Our issue is that we need this the packets from this realm to go out Network B's internet circuit. We have a static route setup on the Juniper appliance that points to this network, and a Split-Tunneling Policy route was also set up. This was working for a time, however, we are no longer able to access a utility that we need to from Network B. As far as I can tell, nothing has changed on the Juniper appliance's or Network B's firewall configurations.
Any help is greatly appreciated.
If nothing is changed, I would recommend running a Policy Trace. Hopefully, the logs will help us figure out what the issue. Based on what you've said, it could be related to a Policy and not an actual route.
1. Maitenance,Troubleshooting, User Sessions, Policy Tracing
2. Set the appropriate options
3. Start Recording
5. Stop recording
6. Review logs (share findings)
I have attached a couple of logs. The policy trace log may only show that I was authenticated as the correct policy. To clarify, I am not having an issue creating a VPN connection to Network B. What I am having issue with is; getting the traffic to go out the other Network B's gateway. It is wanting to go back through Network A. Is there maybe a way to have the Network B realm use Network B's gateway info?
I reviewed the logs, but didn't find anything useful. I would check the Network Connect Access Policy (Users, Resource Policies, Network Connect, Network Connect Access Control) to make sure the resource is listed and the correct role is applied. If possible, can you share some trace-route results from a client that is working and from a client it's not? The default gateway for subnets defined in the Split Tunneling policy will be local (127.0.0.1) and should be picked up by the VA (Virtual Adapter). After that it's all policy and routing.
Here is a screenshot of our Spit-Tunneling Policy. We have a realm called HQ which is our corporate roles, and ccs which is the secondary network roles. HQ only goes to the corporate policy and ccs only goes to the other network. I hope this makes sense.
Also, attached is a TCP dump that I ran yesterday while testing.
When I try to do a tracert to the required gateway, I can't get passed the default DNS/DHCP address. Is there some way to create a route to Network B's gateway so that traffic can get out that gateway?
OK, that appears to be the problem. Can you post the results from a "route print", ipconfig/all, and provide the desitnation network? There should be a route that points to 127.0.0.1 for the destination network. This will force it via the VA (Virtual Adapter). Also, what is the IP Pool you're using? I've come across issues when people use the same IP Pool as the local LAN of the client (i.e. 192.168.1.0/24).