ER605 - VPN passthrough vs one domain
ER605 - VPN passthrough vs one domain
I have an unusual issue. My work requires I first connect to the company VPN, and then to a Cisco AnyConnect VPN to access other tools. With the ER605 having VPN passthough on my default, all used to work fine. Then sometime last year, I find that some sites and apps that once worked over AnyConnect no longer do. My solution was to add a second router (A NetGear in this case) that connects to the same ER605. It seems to only fail getting do a small (but important) number of svcs on the work network, and only when AnyConnect is engaged.
I don't do anything special with this ER605 other than assign static IPs on the LAN. I've tried putting the PC in the DMZ without success. Even tried putting the ER605 to factory defaults once, and still no luck. Our engineers didn't have a solution except to suggest adding a second router on the DMZ. The DMZ didn't seem to matter though, I've disabled it and the second router still functions fine.
As I have a working solution, I'm loathe to blame anything outside of my LAN. Typically I'd include all the specs and firmware info, but really I'm just interested in anyone's thoughts on why adding a second router between the PC and ER605 vs a direct connection to the ER605 would be actually be a solution.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Just wanted to follow up and note that I did find a solution.
First I upgraded to an ER7302: which by itself didn't fix the issue, but that alone increased my VPN speeds nearly twice fold.
Then I created a VLAN in the router to issue DHCP addresses in the 198.168.x.x range to the VLAN members. Although the AnyConnect routes listed all private IP ranges as secure, this was the change that worked.
Thanks for exploring this with me :)
- Copy Link
- Report Inappropriate Content
What is the first VPN? is this a client on the PC or is there an ER605 that handles this?
AnyConnect is on a PC, but do you use Ipsec site to site or OpenVPN to connect to the first VPN
I did a test here now with AnyConnect here and it worked perfectly, got through my company's vpn, I also have several layers of vpn like you but this is handled by an ER8411 and a router from unifi that handles Wireguard and OpenVPN for me to move on to my clients' network securely through a central VPN server in the office.
so let's start with your first VPN,
- Copy Link
- Report Inappropriate Content
The first VPN is setup in Windows, using SSTP with CHAP 2, no EAP. No special application of sorts. Back in the ER605, I have no settings enabled other than the factory defaults. I might also add that it works fine when I'm using my cell as a hotspot, which is what made me suspicious of the ER605.
- Copy Link
- Report Inappropriate Content
SSTP use port 443 and problaby do Anyconnect the same so there should be no problem to get this thrue your router.
what firmware version is installed on your ER605?
- Copy Link
- Report Inappropriate Content
I was on 1.2.1 Build 20220512 until I read your reply, but then I upgraded to ER605(UN)_V1_1.3.1 Build 20231207 (the latest). Didn't fix the issue, but never hurts to be on the latest version. (Upgraded my switches and AP too).
- Copy Link
- Report Inappropriate Content
Ok, so it's not that easy to figure out. the question is whether you must consult with those who have SSTP and AnyConnect VPN and ask if they can see anything in the logs. on TP-Link there aren't that many logs that can reveal such errors.. possibly play the ball over to TP-Link to hear what they think.
@Clive_A is our man on the forum maybe he knows more.
I also use SSTP which is powered by Intune for our internal resources at work on my home computer but I haven't had any problems with the same as you.
My other VPN to manage remote network run on a cupple of routers in my home and handel this automatic and have nothing to do with SSTP,
so sorry that I cant help you more. I will folow this thread to se if there any solution
- Copy Link
- Report Inappropriate Content
Hi @Xexus
Thanks for posting in our business forum.
Give a diagram, please. I am not following this from the beginning so I'd start over with a map which might be helpful for me to get a grasp of what's going on.
- Copy Link
- Report Inappropriate Content
I appreciate your thoughts on that, and now I've got all my devices on latest firmware which I hadn't checked for a while :)
A crude map, but in a nutshell I've got this. The red line is what I'd like to do, and the blue line through the Linksys is my workaround solution.
The Company VPN is setup in Windows: Just an address to connect to, and the details say SSTP and CHAP enabled. That gets me to many of my workplace tool.
However some also require AnyConnect. When I enable that, I can no longer route to the tools that were available with just the first VPN.
My engineering team couldn't figure out why, but recommended adding a second router between the PC and the ER605 (the Linksys). That did work, though I don't know why it does. They also suggested putting it on the ER605's DMZ, but I discovered that wasn't actually necessary to solve the problem.
When I use an AT&T hotspot connected directly to the PC I don't have to use the Linksys at all to access all of the work tools. So the problem seems to be between my PC and the ER605, and the Linksys is apparently correcting whatever routing failings that I have without it.
Over a year ago, this did work normally without needing the Linksys at all. I've tried firmware updates, a factory default reset, and have played with the ER605 VPN features though my knowledge of VPN trobleshooting is at best just making sure I've got the right server and login credentials.
Thank you for giving it some thought. :)
- Copy Link
- Report Inappropriate Content
A short comment before I go to work, check route details on Anyconnect VPN. is it like this is full tunnel and resurs outside tunnel is not aviable..
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Do you have something that looks like this?
So if none of the secured routes are in conflict with other resources, it should work..
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1749
Replies: 13
Voters 0
No one has voted for it yet.