【NGAF】Sangfor VPN Success Build Up but Some Subnet Cannot Ping to Peer Side
Issue Description
According to figure above. User has problem to communicate from Sangfor 1 to Third party device. Sangfor 1 and Sangfor 2 had succeed to build up the Sangfor VPN.
Note: Sangfor 1 as branch and Sangfor 2 as HQ
Handling Process
- Perform packet capture in branch device, found out the packet reach LAN port but didn’t forward out from vpntun.
- Check routing, there were no route to the third party device.
- In HQ device, add third party device Lan segment into the local subnet.
Root Cause
HQ and third-party device has build a IPSEC VPN tunnel, but the HQ didn’t publish the third=party device’s segment into the local subnet, causing the Sangfor VPN didn’t publish the route for the third-party.
Solution
In the HQ device, add the third party LAN segment into local subnet.
Suggestion
It’s required to add the related segment in to the Local Subnet when the segment is not configure in the interface. For example, there are few segments under the LAN interface, but the LAN interface only configure with 1 IP segment.