No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

FAQ-Do the VT Interface IP Address Have to Belong to the Same Network Segment as IP Addresses in the Pool When the Firewall Serves as the LNS

Publication Date:  2015-07-02 Views:  353 Downloads:  0
Issue Description
Do the VT Interface IP Address Have to Belong to the Same Network Segment as IP Addresses in the Pool When the Firewall Serves as the LNS?
Solution
No. If the IP address of the VT interface does not belong to the same network segment as any address in the address pool and a default route is configured for the firewall, a loop occurs until the TTL is 0. That is, when a VPN user logs out and another user attacks or access the VPN user, the firewall sends the attack or access packet to the upstream device using the default route (lacking the route to the user). Then the upstream device searches for the route and sends the packet to the firewall. If the IP address of the VT interface belongs to the same network segment as addresses in the address pool, the firewall has a route destined for the network segment to which the IP address of the VT interface belongs, although the user already logs out. The firewall discards received access or attack packets. Therefore, ensure that a VT interface IP address belong to the same network segment as IP addresses in the address pool.

END