I have a server sitting on a 192.168.194.0/24 network and a vpn connection to 10.0.3.0/24. There is no problem with the vpn. From my server at 192.168.194.10 I can ping the inside of the remote firewall at 10.0.3.2. I can also ping a remote server at 10.0.3.7. I can also ping an XP workstation at 10.0.3.59 I however cannot ping a printer 10.0.3.8 I cannot ping a switch at 10.0.3.6 I cannot ping another XP pc at 10.0.3.60 Locally on the server 10.0.3.7 I can ping every device mentioned so far, so they all are up, they are all valid addresses/hosts, and there are no windows firewalls or anything else blocking icmp. 10.0.3.2 and 10.0.3.8 are my two devices I'm concerned with below. I tried to ping and traceroute each from 192.168.194.10 in the following. Pings (filtering for just ICMP): Notice no replies from 10.0.3.8, just 4 requests. Tracert to 10.0.3.8: and that continues the same up to packet 41. Any ideas? asked 11 Jan '13, 09:13  Willmeister edited 11 Jan '13, 09:23  cmaynard ♦♦ |
2 Answers:
O.K. then the default gateway on subnet 10.0.3.0/24 is either not set correctly for all devices, or the connections from the other remote subnet are hidden (NAT) behind the internal IP of your firewall (10.0.3.2). Can you please run tcpdump (or whatever capture tool your firewall provides) on the firewalls internal interface? If you see the ICMP request go to 10.0.3.8 (and 10.0.3.60), but you don't get a response, then the back route (default gateway) is not set correctly on those systems, or they have a wrong ARP cache entry for 10.0.3.2 (your firewall).
Just a dump idea. Did you check, that there is no 'historic' route for those IP addresses on the involved firewalls (both ends of the VPN tunnel)? However, then it probably would not work from another subnet either... Are you really sure, there are packet filter rules to allow those packets on the involved firewalls? To sum it up, please check these items:
Regards answered 11 Jan '13, 12:26  Kurt Knochner ♦ edited 11 Jan '13, 13:11 OK, it's a new customer and I have very limited access to their equipment, I'm on a box that i can ping the devices across the tunnel...and sure enough, gateway was incorrect. Pleaded for another look and sure enough...you have to be like House. Never trust the patient :) Thanks, good to have the extra advice coming in, sometimes you need to step back. Thank you! (11 Jan '13, 15:20) Willmeister As I like to say during Sharkfest...if you hear hooves beating, think horses and not zebras (Unless you live in Africa, LOL) (12 Jan '13, 18:51) hansangb |
I would guess that the devices you can't ping don't have default gateways/routers configured. So they can talk to anything on their subnet but nothing beyond the subnet. answered 11 Jan '13, 10:16  JeffMorriss ♦ Printers typically don't get the usual "love" of PCs, so it is probably using the natural subnet mask of /8. And with proxy-arp turned off at the router (likely scenario), the return packets cannot make it back to you (can't get out of the local subnet). I would think the same is true for the XP. (11 Jan '13, 10:27) hansangb That is a thought, but they all have the same gateway. PC's are getting the same ipconfig from DHCP and I can get to some, not others. It's also why i mentioned other types of devices, most notably the switch. I can get to all the devices from another remote subnet. (11 Jan '13, 12:13) Willmeister |
That got real ugly when i submitted it...sorry :)
Set the text as a "code sample", so it should be easier to read now.
I also uploaded the tracert capture to https://www.cloudshark.org/captures/4f231cf04349
Thank you!