Hi All,

I hope someone can assist with this odd issue...

I have two sites, one Head Office site with a V2860N (192.168.0.x) and a second Remote Office site with a V2850 (10.10.0.x).

I have created a Lan to Lan VPN from remote office dialing into the head office router. This is setup as a L2TP with IP Sec. The VPN dials up fine and connects. I can ping both routers from the other router and can also ping both routers from a computer on both sites.

The issue I have is that from the remote V2850 site I am unable to ping 192.168.0.240 from any computer or any device, however I am able to ping it direct from the remote Draytek V2850. Odly I seem to be able to ping everything else on the V2860N site from the V2850 except the 192.168.0.240 device, however this does respond to a ping and tracert direct from diagnostics / trace route on the V2850...

Hopefully there is something very simple I am missing.

If anyone can shed some light on this I will be most grateful.

Thanks,
Steve

A traceroute done on the the V2850:

traceroute to 192.168.0.240, 30 hops max through WAN1 protocol ICMP
1 81.174.***.*** 50 ms
2 192.168.0.240 50 ms
Trace complete.

A Trace done from a machine on the V2850 network.

1 <1 ms <1 ms <1 ms 10.10.0.1
2 40 ms 40 ms 40 ms inta0*********.pndsl.co.uk [81.174.***.***]
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11 * * * Request timed out.

There's something else that's odd - you have public IP addresses appearing in the Traceroute. Does each site just have a single LAN? Assuming yes, do the relevant devices on those LANs have the respective Vigor set as the Default Gateway?

For comparison purposes, here is a traceroute from my (similar) setup (2860n <--l2tp/ipsec-->2830n) (tracing a route from 192.168.100.8 -> 192.168.200.6)

Code:

C:\WINDOWS\system32>tracert -d 192.168.200.6 Tracing route to 192.168.200.6 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.100.254 (local 2860n) 2 25 ms 24 ms 24 ms 192.168.200.254 (remote 2830n) 3 28 ms 26 ms 27 ms 192.168.200.6 (remote device) Trace complete.

No public IPs involved.

hornbyp wrote:
There's something else that's odd - you have public IP addresses appearing in the Traceroute. Does each site just have a single LAN? Assuming yes, do the relevant devices on those LANs have the respective Vigor set as the Default Gateway?

For comparison purposes, here is a traceroute from my (similar) setup (2860n <--l2tp/ipsec-->2830n) (tracing a route from 192.168.100.8 -> 192.168.200.6)

Code:

C:\WINDOWS\system32>tracert -d 192.168.200.6 Tracing route to 192.168.200.6 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 192.168.100.254 (local 2860n) 2 25 ms 24 ms 24 ms 192.168.200.254 (remote 2830n) 3 28 ms 26 ms 27 ms 192.168.200.6 (remote device) Trace complete.

No public IPs involved.

Hi Hornbyp,

Thanks you for your reply. Both networks have several LAN's (VLANs) but none of the other subnets are configured to route over the Lan2Lan VPN.

I see the difference but not sure why it is different... I get the same issue running a tracert from the V2860n nework back to an IP on the 10.10.0.x V2850 network. Please see: https://ibb.co/BNTpGrx

Also please see LAN and routing table on V2850.
https://ibb.co/092hytS
https://ibb.co/hB9N1PN

If you have any further advice I will be most grateful.

Many thanks,
Steve

I do not understand why the tracert done to the .0.240 IP is different on the V2850 than when run on a machine on the V2850 network

The Routing Table on the 2850 shows three public IP addresses (one of which is presumably the ISP's Default Gateway). But that still leaves two...

Are they the IP addresses of each end of the VPN? ... if so, I don't have anything comparable on either my 2830n or 2860n - both ends just have the (WAN) Public IP address and the Default Gateway (so two in total, not three).

What have you got in "Section 5." of the "VPN and Remote Access >> LAN to LAN" screen on each Router?
[There shouldn't be any Public IP's in there]

hornbyp wrote:
The Routing Table on the 2850 shows three public IP addresses (one of which is presumably the ISP's Default Gateway). But that still leaves two...

Are they the IP addresses of each end of the VPN? ... if so, I don't have anything comparable on either my 2830n or 2860n - both ends just have the (WAN) Public IP address and the Default Gateway (so two in total, not three).

What have you got in "Section 5." of the "VPN and Remote Access >> LAN to LAN" screen on each Router?
[There shouldn't be any Public IP's in there]

Hi Hornbyp,

Thanks once again, you were spot on with this. I had both WAN IP's in the two first boxes of section 5. I have removed this from both routers now and now when I do a tracert to 192.168.0.240 from te V2850 end, the second leg is now 192.168.0.1 (the V2860N router at the other end). However a tracert done on a workstation at V2850 end still fails whereas a tracert done on the V2850 router works fine....

It is worth noting that the 0.240 device is a NEC SV9100 phone system with two IP's assigned to the same NIC (192.168.0.240 and 0.241) - both have the same issue whereas I can ping everythig else on site..... :shock:

I have just configured a second L2L between the main V2860N site and my home V2850 and have exactly the same issue. I can ping the 192.168.0.240 / 0.241 and every other device on the V2860 from the V2850(home) router but cannot ping or reach the 0.240/0.241 devices from a workstation on the V2850(Home) network. I can however reach every other device on the V2860N site from the same workstation...

I am absolutely flumoxed.... If you have any further pointers I will be most grateful.

Many thanks
Steve