BUG: ER605 with L2 VPN and Tools?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi all, was helping a forum member with their setup over the weekend when I discovered an unusual flaw. We have two sites, A-B connected by L2TP/IPsec VPN tunnel in network extension mode with ER605v2 at either end. Only the LAN (default) subnet from each site is forwarded across the tunnel and what I noticed was that even with the tunnel setup and working properly I could not use the new Tools function to ping across tunnel, ie using A-ER605 to ping B-ER605 didn't work. A traceroute showed iA-ER605 trying to go direct to the internet, instead of via the tunnel. If I used a local Tools-supported switch, then A-Switch could ping B-ER605 and all devices at the B end correctly via the tunnel. I feel this is a bug, but curious if others have seen this.
A second issue with this sort of tunnel creation is that the remote subnet routes don't show up in the Routing Table insight which also seems wrong (although functionally it's fine).
Hi @d0ugmac1
Thanks for posting in our business forum.
In response to bug #1, first paragraph,
You are using L2TP, so one's server and the other's client. Can you confirm both have been set to include all Local Networks?
Secondly, your working mode is set to Routing I think? You are using this is about the S2S.
Then what IP did you traceroute and ping?
If this IP is not in the Local Networks you specified, it'll be forwarded to the gateway and the next destination will be the ISP. Is there anything wrong with this?
I cannot say anything about this before you tell me where this IP belongs to.
ER605's tool should work. If it does not work in controller mode, you should check the firmware of both the controller and the router. Do they support the ping feature now? If yes, it does not work, that might be an issue with the controller.
I would assume the controller is the problem because in standalone mode you can use the ping tool without any issue. As for the controller, it is new. So that might be buggy.
As for the second bug you said, VPN routing table is not gonna be included in the Routing Table. Got a confirmation by the senior engineer.
When a device does not support Tools, it is not given as an option in the controller. Regardless the ER605v2 was able to ping other local IP subnets via the controller UI, just not remote IPs across the tunnel which were included in the 'Local Networks'. The same IP was tried both from an ER605v2 and an SG2008P, the ER605 failed and traceroute showed it did not 'know' about the remote subnets and thus tried to go to the internet. The SG2008P was successfully routed by the ER605 to the remote site and was able to ping and traceroute successfully. An example IP that did not work was the remote ER605 LAN IP (so if the remote LAN was 192.168.2.0/24 and the remote ER605 was 192.168.2.1, then the local ER605 on say 192.168.1.1 was not able to reach 192.168.2.1). This makes me think that the ER605 tools are using some kind of static routing information that is not updated when VPN tunnels are created. I was curious is others had experienced this in 'Routing' mode possibly with other VPN types? This may also explain why the remote subnets at the far end of the tunnel do NOT show up in the controller's version of the 'Routing Table' under Insights.
Not all local subnets are forwarded across the tunnel, but LAN is forwarded on both.
NAT is not really an option as there are multiple identical devices at the remote end using the same service ports, which is far easier to manage by IP than by port.
Below are the server and client setups respectively.
