How to Determine if the Source and Destination Address Translation is Correct (KB ID: KB9542)
| Article ID: | KB9542 |
|---|---|
| Former Article ID: | |
| Published: | Jan 30, 2007 |
| Last Modified: | Jan 30, 2007 |
| Visible By: | Employee, PTAC, Partner, Customer, Public |
Back to Previous Page | Knowledge Base Home
Article URL
Synopsis
If the VPN is up, but traffic is not passing through the tunnel it could be related to an address translation issue. The VPN policy log will help identify if the Source and Destination Address Translation is Correct.
Problem
A VPN is up, but it is not passing traffic. The policy log for the VPN can help us determine if the traffic is being translated or not.
Solution
Examining the log entries in the Policy for the VPN can help determine if the Source and/or Destination Addresses are being translated or not. In most case, the addresses should NOT be translated. The only time that they will be translated is when a DIP pool is configured.
To view the log entries for a policy through the WebUI, click on Policies. Find the outgoing policy associated with the failing VPN and then click on the Log icon in the Options column. (For an example of the Log icon, consult KB4219 - WebUI Policy Icons)
The entries should look like the image below where the Source Address/Port and the Translated Source Address/Port should match each other and the Destination Address/Port and the Translated Destination Address/Port should match. If they do not match, see if Source and/or Destination NAT is enabled. To view this, click on Policies. Then edit the VPNs policy and click Advanced. Source and Destination NAT should not be enabled.
Category Description
By Product » Hardware » Firewalls
By Product » Hardware » Firewalls » NetScreen Firewall/IPSec VPN
By Product » Software » Network Operating Systems
By Product » Software » Network Operating Systems » ScreenOS Software
Purpose