DNS query via vti

2»

All Replies

  • d1CC
    d1CC Posts: 1  Freshman Member
    First Comment
    Hi ZyXel Team,

    we´ve got the same issue at a customer from us.

    2x USG60 (Datacenter1 and Datacenter2 - Site to Site)

    The VTI IPSec Connection is up and active but no traffic, if you want i can send you the config of both USGs for analyzing.

    Thanks in advance
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hello d1CC,
    Have you added the Policy routing on device? The policy routing will let both datacenter can communicate with each other. 
    Here is example from FAQ as your reference.
    Link:
    https://businessforum.zyxel.com/discussion/721/how-can-i-configure-ipsec-site-to-site-vpn-by-using-vti-on-the-usg#latest

    Charlie 
  • sebastian
    sebastian Posts: 7  Freshman Member
    First Comment
    Thank you for the reference. Nevertheless the issue is not the TCP traffic between Site to Site.
    The problem is the UDP traffic via DNS that the source IP is the wan interface and not the local vlan. 
    Policy route doesn't change the behavior. I'm still waiting for the Zyxel support to come back to me. 
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hello sebastian,
    I tested it locally, and UDP traffic can flow in VTI tunnel.
    Server

    Client

    I think UDP packet is over MTU on your scenario cause traffic(drop) cannot send to another side. 
    However, to avoid this issue, you need to enable Ignore "Don't Fragment" Setting in IPv4 header(Enable this to fragment packet larger than MTU), and check it again after flush all session via CLI(Enter "debug conntrack flush"). 

    Charlie

  • sebastian
    sebastian Posts: 7  Freshman Member
    First Comment
    Thank you for the quick reply. 
    I do not see any affect. The nslookup is still not working. TCP traffic is working fine based on the policy routes. 

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hello sebastian,
    If the issue still appear after you enable "Don't Fragment" Setting in IPv4 header" and Enter "debug conntrack flush", please capture the packets from LAN interface on both side when the issue is happening. I want to see what may go wrong by analyzing the packet.
    Here I show you the procedure so that you can capture packets from the device directly.



    Otherwise, please PM me configuration of both device.
    Charlie
  • sebastian
    sebastian Posts: 7  Freshman Member
    First Comment
    Hello Charlie,

    the package trace I have forwarded you via PM. The problem isn't that UDP & TCP traffic is forwarded via vti1 interface. The problem is that the Source IP of the DNS package is my wan1 interface IP and not the IP of the vlan interface. 
    E.g. I'm doing a dig I see traffic going to the vti1 interface but with the wrong Source IP. If I do the same with dig @DNS Server via vti1 I'm getting the correct response. Reason in the first dig the Source IP of the package is my wan1 interface and in the second point it is the vlan IP.

    Best regards,
    Sebastian 
  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    edited November 2017
    Hello Sebastian,
    As I tested it with UDP session locally, and do the packet captured on VTI interface on both side.
    The source Ip is host IP not Wan interface IP. Here is my result, please check it. Link:  https://drive.google.com/file/d/1tTrr8oIeihSN2ToKbjvy63AGcjci5hQe/view?usp=sharing
    Could you share the remote access of this case via PM for checking?
    Charlie
  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment
    edited January 2018
    lalaland said:

    Hi,

    I have similar case in the past, but the scenario is SIte to Site IP Sec vpn, the issue was solved by policy route, how about create a policy route, assign the next hop is VTI, then do the SNAT?

    Hi lalalnd, Brilliant!. <3:3 . many thanks for this SNAT tip. You bewdy!.. works a treat!

    Policy Route:
    • existing Policy Route: incoming:any , source:USG60_LAN1_Subnet, dest: USG40_LAN_Subnet, next-hop: vti2 , SNAT: none
    • added this Policy Route : incoming:any , source:USG60_LAN1_Subnet, dest: REMOTE_USG40, next-hop: vti2 , SNAT: outgoing-interface

    I've an USG60 & USG40 both at firmware V4.30 deployed over Hong Kong metro LAN 10 KM's apart using VTI and two different business ISP's

    TCP traffic works great.

    Like the OP I had this same issue accessing the remote ZYWALL USG's from the other over a VTI  as IPSec_VPN to ZyWALL  for 
    • remote DNS
    • ssh (management)
    • https (WEB UI)
    Anyway, this has made my week!.

    Thanks heaps for the tip and 感谢您的帮助。中国新年快乐

    Cheers mate!
    Warwick
    Hong Kong
  • warwickt
    warwickt Posts: 111  Ally Member
    First Anniversary Friend Collector First Answer First Comment

    Hi All those interested, I have updated a similar post with pertinent information at

    https://businessforum.zyxel.com/discussion/1338/resolving-lan-hostnames-when-connected-to-vpn#latest

    This post described using a Domain Forwarder rule specifically with PUBLIC DNS SERVER , with VTI1 end and Query = auto.

    HTH

    WarwickT

    Hong Kong

Security Highlight