Hello Ray,

Sorry for the tardy response.

I have just done your test. What I noticed is the following:

• I can reach my intranet just fine. No problems there.
• But my wifi is down: Tcpdump shows that all attempts to communicate with internet resources are being blocked on the DNS packet level. I see queries with destination the DNS I configured PCS with, but I see no DNS resolution.

Regards,

Tony

No worries..@tony.f Check your PM inbox.

Pulse Connect Secure Certified Expert

Hmm. Ok. PCS is able to connect to the internet without any issues, however the client is not able to.

What is the VPN tunnelling IP subnet? Is it in the same subnet as the internal port IP address of the VPN server?

For example, if the VPN tunneling IP address leased out the client is 192.168.1.10 and the internal port IP of the VPN server was configured as 192.168.1.100/255.255.255.0, then they are in the same subnet.

If they are in the different subnet, can try assigning an IP address to the client from the same subnet as the internal port IP address of the VPN server?

Thanks,

Ray.

Pulse Connect Secure Certified Expert

Hello Ray,

VPN clients draw their IP from this pool 192.168.1.0/24.

The internal interface of PCS is in a different subnet. 10.100.100.1/24.

As you mentioned, I tried giving my machine a 10.100.100.x IP. Nothing works after this config. I think network overlap on PCS leads to packets forwarding failure.

Hello @zanyterp,

The tunnel IP by default is 10.200.200.200.

So if I traceroute a packet sent from my machine to a network routed through PCS, the packet is sent first to 10.200.200.200. Then PCS routes it according to its table.

There is no overlap between the wifi network and the vpn ip pool...

Might there be a transitivity problem (intrinsic to AWS) stopping my VPN flow?

Because from AWS, I can resolve DNS queries normally on my PCS appliance. I can "telnet msftconnecttest.com 80" and get a successful connected. I am pushing the correct DNS settings via VPN Tunneling > Connection Profiles. So the Pulse client is correctly configured. 

Regards,

Tony

Hi @tony.f

As @zanyterp rightly pointed out, do you have a route on the AWS cloud to point all traffic destined to 192.168.1.0/24 (VPN IP pool) will be forwarded to 10.100.100.1 or whatever the internal port IP address of the VPN appliance?

If there is no such route, that would lead to reverse route issue i.e. client is able to reach the destination servers through VPN server's default gateway, however the destination servers are not able to reach its way back to client.

Ideally the traffic flow will be like,

Client sends a DNS query to 8.8.8.8 

Client (192.168.1.10) >> VPN server tunnel interface (10.200.200.200) >> Makes routing decision based on destination address (8.8.8.8) >> Sends the traffic to it's internal port default gateway >> Several hops / NAT / PAT (Internet) >> Reaches 8.8.8.8 DNS server.

8.8.8.8 sends the DNS response to client

DNS response reaches the VPN server's default gateway >> Checks it's routing table >> if a valid route is present stating that any traffic destined to 192.168.1.0/24 network will be forwarded to VPN server internal port IP address >> VPN server internal port recieves the return traffic >> forwards it back to client IP address.

Thanks,

Ray.

Pulse Connect Secure Certified Expert