Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
0
Helpful
3
Replies

VPN Traffic Affected by Route Hops?

Go to solution
indraadi82
Level 1
Level 1

‎09-09-2018 08:21 PM

Dear Experts,

 

Recently we tried to establish VPN communication to a foreign country (Denmark) using 2 firewalls. From Denmark side, they claimed to have established the VPN tunnel, but they can not send any traffic to our side. But they said that traffic from our side is going normally to their side. So, it looks like it's a one-way-communication inside the tunnel.

 

Denmark side said that after looking at the traceroutes (to each sides) compared between ours and theirs, the difference in route hops (going and returning) caused this problem. Is this true? can those different hops cause one-way-communication VPN? Honestly, I thought it was supposed to be firewall settings that could be incorrect. Does hop really matters?

 

Thanks! 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to indraadi82

‎09-10-2018 06:39 PM

Can you give more details on both side like how the routing is done? Bgp?

The last hop on both side is the firewall? Is the packet arriving on the same end device? Even if there's asymmetrical routing in between it doesn't matter, the end device receiving the traffic matters.

Can you also share outputs/configs from both side? Outputs would be show crypto isakmp and ipsec.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎09-09-2018 08:39 PM - edited ‎09-09-2018 08:40 PM

Hi

Can you share more details please? Where are located the different hops? I mean if both way routing isn't the same, this means probably you have asymmetrical traffic and if this going through a firewall, by default it's dropped. That's why I need more information/clarification.

Also, have you ran a packet capture to see if ingress and egress ipsec packets are seen?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
indraadi82
Level 1
Level 1
In response to Francesco Molino

‎09-09-2018 09:02 PM - edited ‎09-09-2018 09:03 PM

Hi Francesco,

In brief, this is the traceroute result (ISP name is written after the Hop count#):

Traceroute to our side (from DK):

HOP-1: TDC
HOP-2: TDC
HOP-3: TDC
HOP-4: TDC
HOP-5: TDC
HOP-6: ***
HOP-7: LV3 (NAP's upstream)
HOP-8: NAP
HOP-9: ***
HOP-10: ***
HOP-11: NAP
HOP-12: JSTEL (Arrived at destination IP)
------------------------------------------

Traceroute from our side (to DK):

HOP-1: JSTEL
HOP-2: JSTEL
HOP-3: JSTEL
HOP-4: NAP
HOP-5: NAP
HOP-6: NAP
HOP-7: TELIA
HOP-8: TELIA
HOP-9: TELIA
HOP-10:TELIA
HOP-11: TDC
HOP-12: TDC
HOP-13: TDC
HOP-14: TDC (Arrived at destination IP)

Sorry, but at this time I can't run a packet capture yet. I hope the above route hop can help.

Thanks!
Indra

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to indraadi82

‎09-10-2018 06:39 PM

Can you give more details on both side like how the routing is done? Bgp?

The last hop on both side is the firewall? Is the packet arriving on the same end device? Even if there's asymmetrical routing in between it doesn't matter, the end device receiving the traffic matters.

Can you also share outputs/configs from both side? Outputs would be show crypto isakmp and ipsec.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents