Reply
New Member
Posts: 8
Registered: a week ago
Kudos: 1

Unable to access different VPN'ed subnets when on AP's SSID

We have multiple AP's deployed across our network. Our network consists of our 'main' branch which holds most of our network infrastructure, servers, ...etc. This network is on 172.16.1.X scheme. We have a remote office with a 10.30.1.X scheme. We have configured a bridged VPN for the networks so the remote office can easily access our resources at the main branch. When hardwired into the main branches LAN (172.) i can access everything on the remote network, however, when using the SSID that is connected on the main network i can not access anything at the remote site.

 

Any help or ideas would be appreciated and thanks in advance!

 

 

Senior Member
Posts: 10,402
Registered: ‎08-04-2017
Kudos: 1691
Solutions: 508

Re: Unable to access different VPN'ed subnets when on AP's SSID

Hello @Unknown_User,

 

Welcome to the community!

 

Do you have guest policies enabled on the SSID?

Do you use USGs for the VPN connections?

 

 

Regards,

Glenn R.

Cloud Hosted Controllers | Glenn R. | UniFi Installation/Easy Update Scripts | UniFi-Video Installation/Easy Update Scripts | UniFi-VoIP Installation Scripts
USG-4-PRO • USG
USW-48-500W • USW-24-POE-250W 2x • USW-16-POE-150W • USW-24 • USW-8-150W • USW-8
UAP XG • UAP-SHD • UAP-HD • UAP-NanoHD • UAP-AC-PRO 2x • UAP-AC-LITE • UAP-AC-IW • UAP-AC-M
UCK-G2 • UCK
New Member
Posts: 8
Registered: a week ago
Kudos: 1

Re: Unable to access different VPN'ed subnets when on AP's SSID

@AmazedMender16

 

Thanks for the responce! We have a guest network on a seperate SSID and we do not have a USG VPN. We use a Cisco Router for the VPN.

Established Member
Posts: 2,075
Registered: ‎04-21-2015
Kudos: 279
Solutions: 92

Re: Unable to access different VPN'ed subnets when on AP's SSID

When you hardwired, what is the IP address and gateway you receive? Please confirm IP address settings you receive when connected to the SIID?
Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 8
Registered: a week ago
Kudos: 1

Re: Unable to access different VPN'ed subnets when on AP's SSID

I have attached ipconfig of both. Both are going to the same gateway. The Wifi gives me a network of 172.16.2.X while ethernet gives me a 172.16.1.X in summary

Ethernet.PNG
Wifi.PNG
New Member
Posts: 8
Registered: a week ago
Kudos: 1

Re: Unable to access different VPN'ed subnets when on AP's SSID

From the picture device X on the SSID can access the server but can not even see the 10.30.1.X network. The etherneted server can see and access everything, including device Y. We have multiple APs all configured the same so you can go anywhere in the building and have WiFi. I dont understand why the AP is not routing correctly.

Example.PNG
Established Member
Posts: 2,075
Registered: ‎04-21-2015
Kudos: 279
Solutions: 92

Re: Unable to access different VPN'ed subnets when on AP's SSID

When I am at home I will review you setup. Just finish my job for today
Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Established Member
Posts: 2,075
Registered: ‎04-21-2015
Kudos: 279
Solutions: 92

Re: Unable to access different VPN'ed subnets when on AP's SSID

You need to check on Cisco side (e.g IPSec ACLs, Zone-Based policy etc). Something there is preventing traffic for all hosts to flow across the tunnel. Sorry but this is not UniFi issue, as AP simply bridge the traffic and sends upstream to its gateway.

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 8
Registered: a week ago
Kudos: 1

Re: Unable to access different VPN'ed subnets when on AP's SSID

I disagree, if it was a router based issue i would not be able to access the 'remote' subnet (10.30.1.X) when connected via ethernet (172.16.1.X). Please reference the diagram again. This is why i believe it to be an issue with the AP. 

New Member
Posts: 8
Registered: a week ago
Kudos: 1

Re: Unable to access different VPN'ed subnets when on AP's SSID

unless you are saying that the Cisco router is somehow distinguishing the AP's apart from all network devices and somehow zoning them.
Established Member
Posts: 2,075
Registered: ‎04-21-2015
Kudos: 279
Solutions: 92

Re: Unable to access different VPN'ed subnets when on AP's SSID

[ Edited ]

Yeap, that is exactly what I am saying. There must be something that allows server (172.) to access the (10.) But not other hosts in the same subnet (e.g ACLs, firewall policies etc).

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 8
Registered: a week ago
Kudos: 1

Re: Unable to access different VPN'ed subnets when on AP's SSID

[ Edited ]

I have wired into the secondary port of one of the AP's and im able to ping the remote network. If the issue was from the router wouldnt the secondary port also have same issues seen on the AP?

 

I have even tried disabling the remote networks firewall and security policies and i still cant access the network via WiFi.

ping.PNG
Established Member
Posts: 2,075
Registered: ‎04-21-2015
Kudos: 279
Solutions: 92

Re: Unable to access different VPN'ed subnets when on AP's SSID

My assumption was wrong, sorry. Can you please share your unrestricted SSID settings (attach the screenshot) under the wireless networks tab?

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Highlighted
New Member
Posts: 8
Registered: a week ago
Kudos: 1

Re: Unable to access different VPN'ed subnets when on AP's SSID

I continued testing and tried multiple things last night and to my surprise i found that the 'remote' network could access the main network (I was only trying vice versa). This leads me to believe that a restart of my routers/AP's on the main branch should fix the issue. Im guessing that it is an issue with ARP or some routing table that isnt propagating correctly. I will keep everyone updated and especially thanks @Myky for your help. I hope to do a rolling restart after working hours. I will post the SSID settings just in case later in the day.

Reply