Asymetrical SiteA to SiteB but symetrical SiteB to SiteA
-
Have siteA and siteB connected via a OpenVPN. Have a static route at siteA pointing 10.0.254.0/24 to 10.0.34.145. Have a static route at siteB pointing 10.0.254.0/24 to 10.1.34.145. siteA has a LAN 192.168.254.0/24. siteB has a LAN 192.168.240.0/24. We are implementing NSX to perform a stretch L2VPN from siteA to siteB. For some reason the routing at either location is not the same. Ping from a VM in Stretch L2VPN siteB to LAN siteA goes to and from over the OpenVPN. Ping from a VM in Stretch L2VPN siteA to LAN siteB goes to over OpenVPN but returns over L2VPN. Due to the static routes at either location I would expect the return packets in both situations to return over the L2VPN since destination network on return would be 10.0.254.0/24 network.
-
Update
We have interfaces assigned to the VPN connections at both SiteA and SiteB. Looking at firewall rules SiteA VPN-interface rules are currently (any/any). SiteA has no rules in the one named OpenVPN. SiteB also has a rule allowing (any/any) on its interface assigned to the VPN but it also has an (any/any) rule in the one named OpenVPN. Removing the rule from the one named OpenVPN now gives me the same behavior at both locations. I am still seeing routing issues depending on which host I am pinging from.
SiteA-LAN to SiteB-L2VPN the routing is asymmetrical. Send is over L2VPN, reply is over VPN
SiteB-L2VPN to SiteA-LAN the routing is symmetrical. Send and reply is over VPN
SiteB-LAN to SiteA-L2VPN the routing is asymmetrical. Send is over L2VPN, reply is over VPN
SiteA-L2VPN to SiteB-LAN the routing is symmetrical. Send and reply is over VPNGoal would be to get the traffic flow routing symmetrical no matter the to and from address.
Any thoughts?