Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Packet Forwarding between networks

c_boyer_
Occasional Contributor
‎05-22-2009 02:46:PM
‎05-22-2009 02:46:PM

Packet Forwarding between networks

Ok, here is some background:

- We are running a cluster of SA4500's, which is using a 192.168.70.x subnet.

- We have two networks with their own dedicated internet circuits. Network "A" is our main corporate network and Network B is a blackbox network.

- We are using Juniper to sit between network A and B. We have it configured to allow corporate traffic to flow in and out A's internet circuit, while B's traffic flows out the other internet circuit.

-We also have two realms configured to seperate the rules. We have a realm that is tied to the corporate network which is pretty much open. The second realm goes to Network B and uses SVW and uses address pools for two different types of roles.

- We have a small handfull of users that use one address pool, and everyone else that logs into this realm another.

- Our issue is that we need this the packets from this realm to go out Network B's internet circuit. We have a static route setup on the Juniper appliance that points to this network, and a Split-Tunneling Policy route was also set up. This was working for a time, however, we are no longer able to access a utility that we need to from Network B. As far as I can tell, nothing has changed on the Juniper appliance's or Network B's firewall configurations.

Any help is greatly appreciated.

Channing

0 Kudos
7 REPLIES 7
firewall72_
Frequent Contributor
‎05-22-2009 07:06:PM
‎05-22-2009 07:06:PM

Re: Packet Forwarding between networks

Hi,

If nothing is changed, I would recommend running a Policy Trace. Hopefully, the logs will help us figure out what the issue. Based on what you've said, it could be related to a Policy and not an actual route.

Policy Tracing:

1. Maitenance,Troubleshooting, User Sessions, Policy Tracing

2. Set the appropriate options

3. Start Recording

4. Test

5. Stop recording

6. Review logs (share findings)

-John

0 Kudos
c_boyer_
Occasional Contributor
‎05-26-2009 01:15:PM
‎05-26-2009 01:15:PM

Re: Packet Forwarding between networks

John,

I have attached a couple of logs. The policy trace log may only show that I was authenticated as the correct policy. To clarify, I am not having an issue creating a VPN connection to Network B. What I am having issue with is; getting the traffic to go out the other Network B's gateway. It is wanting to go back through Network A. Is there maybe a way to have the Network B realm use Network B's gateway info?

Thanks

Channing

0 Kudos
firewall72_
Frequent Contributor
‎05-26-2009 04:16:PM
‎05-26-2009 04:16:PM

Re: Packet Forwarding between networks

Hi,

I reviewed the logs, but didn't find anything useful. I would check the Network Connect Access Policy (Users, Resource Policies, Network Connect, Network Connect Access Control) to make sure the resource is listed and the correct role is applied. If possible, can you share some trace-route results from a client that is working and from a client it's not? The default gateway for subnets defined in the Split Tunneling policy will be local (127.0.0.1) and should be picked up by the VA (Virtual Adapter). After that it's all policy and routing.

-John

0 Kudos
c_boyer_
Occasional Contributor
‎05-27-2009 06:39:AM
‎05-27-2009 06:39:AM

Re: Packet Forwarding between networks

Here is a screenshot of our Spit-Tunneling Policy. We have a realm called HQ which is our corporate roles, and ccs which is the secondary network roles. HQ only goes to the corporate policy and ccs only goes to the other network. I hope this makes sense.

Also, attached is a TCP dump that I ran yesterday while testing.

Thank you,

Message Edited by c_boyer on 05-27-2009 06:43 AM
0 Kudos
firewall72_
Frequent Contributor
‎05-27-2009 12:43:PM
‎05-27-2009 12:43:PM

Re: Packet Forwarding between networks

Hi,

Can you include trace-route tests with and without it working? I would like to see the first hop on each.

-John

0 Kudos
c_boyer_
Occasional Contributor
‎05-28-2009 11:48:AM
‎05-28-2009 11:48:AM

Re: Packet Forwarding between networks

When I try to do a tracert to the required gateway, I can't get passed the default DNS/DHCP address. Is there some way to create a route to Network B's gateway so that traffic can get out that gateway?

Thanks

Channing

0 Kudos
firewall72_
Frequent Contributor
‎05-28-2009 07:43:PM
‎05-28-2009 07:43:PM

Re: Packet Forwarding between networks

Hi,

OK, that appears to be the problem. Can you post the results from a "route print", ipconfig/all, and provide the desitnation network? There should be a route that points to 127.0.0.1 for the destination network. This will force it via the VA (Virtual Adapter). Also, what is the IP Pool you're using? I've come across issues when people use the same IP Pool as the local LAN of the client (i.e. 192.168.1.0/24).

-John

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.