No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

shutdown the primary path, the SSL VPN cannot be through the secondary path

Publication Date:  2017-08-10 Views:  295 Downloads:  0
Issue Description

Shut the link (tracked by Firewall) to RO1. Firewall switchover is successful however SSL VPN fails. All the SSL Configuration was done on Active firewall and backup auto.

below is the topo. GE0/3/0 of R1 connect to FW1, and the two routers is connected by Eth-trunk1.

 

Handling Process

according to check with customer, we have found the SSL VPN is on intherface GE7/0/8.51 of firewall, and it is belong to vlan51. and the two firewalls are active/standby hot-standby, FW1 is active, so SSL VPN configuration should be sync auto to FW2. and when the primary path is ok, the SS VPN is fine. so the SSL VPN configuration of two firewalls should be ok. and we checked the two firewall SSL VPN configuration, they are really ok.

interface GigabitEthernet7/0/8.51
 vlan-type dot1q 51
 ip binding vsys idb
 ip address 172.19.24.13 255.255.255.248
 vrrp vrid 151 virtual-ip 172.19.24.12 active
 service-manage ping permit

 

then we checked the configuration on R1, found there is NAT configuration for the vlan51. and it is only applied on GE0/3/0. not applied on Eth-trunk1

nat instance idb id 1
 service-instance-group group1
 nat log session enable
 nat address-group address-group1 group-id 1 37.76.230.107 37.76.230.107
 nat server global 37.76.230.107 inside 172.19.24.12

#

interface GigabitEthernet0/3/0
 portswitch
 description *** To VSM-FW01-7/0/8 ***
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 1 to 4094
 dcn
 traffic-policy NAT1 inbound vlan 51

#

interface Eth-Trunk1
 portswitch
 description *** Trunk to VSM-INT-RO-02 ***
 port link-type trunk
 port trunk allow-pass vlan 1 to 4094

 

Root Cause

when the SSL VPN is through the primary path, NAT is configured on GE0/3/0, so when disconnect the downlink of R1, the traffic will be through FW2-R2-R1-public, when the traffic is through R2 to R1, still need configure NAT on Eth-trunk1 of R1

Solution

configure command "traffic-policy NAT1 inbound vlan 51" on Eth-trunk1 of R1

Eth-trunk1
 traffic-policy NAT1 inbound vlan 51

#

END