ER605 - VPN passthrough vs one domain

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

ER605 - VPN passthrough vs one domain

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
ER605 - VPN passthrough vs one domain
ER605 - VPN passthrough vs one domain
2024-01-20 08:11:03 - last edited 2024-02-29 01:39:13

I have an unusual issue.  My work requires I first connect to the company VPN, and then to a Cisco AnyConnect VPN to access other tools.  With the ER605 having VPN passthough on my default, all used to work fine.  Then sometime last year, I find that some sites and apps that once worked over AnyConnect no longer do. My solution was to add a second router (A NetGear in this case) that connects to the same ER605.  It seems to only fail getting do a small (but important) number of svcs on the work network, and only when AnyConnect is engaged.  

 

I don't do anything special with this ER605 other than assign static IPs on the LAN.  I've tried putting the PC in the DMZ without success.  Even tried putting the ER605 to factory defaults once, and still no luck.  Our engineers didn't have a solution except to suggest adding a second router on the DMZ.  The DMZ didn't seem to matter though, I've disabled it and the second router still functions fine.

 

As I have a working solution, I'm loathe to blame anything outside of my LAN.  Typically I'd include all the specs and firmware info, but really I'm just interested in anyone's thoughts  on why adding a second router between the PC and ER605 vs a direct connection to the ER605 would be actually be a solution.

  0      
  0      
#1
Options
1 Accepted Solution
Re:ER605 - VPN passthrough vs one domain-Solution
2024-02-27 12:20:36 - last edited 2024-02-27 12:23:52

  @MR.S 

 

Just wanted to follow up and note that I did find a solution.

 

First I upgraded to an ER7302: which by itself didn't fix the issue, but that alone increased my VPN speeds nearly twice fold.

 

Then I created a VLAN in the router to issue DHCP addresses in the 198.168.x.x range to the VLAN members.  Although the AnyConnect routes listed all private IP ranges as secure, this was the change that worked.

 

Thanks for exploring this with me :)

 

 

Recommended Solution
  1  
  1  
#14
Options
13 Reply
Re:ER605 - VPN passthrough vs one domain
2024-01-20 13:00:31

  @Xexus 

 

What is the first VPN? is this a client on the PC or is there an ER605 that handles this?

AnyConnect is on a PC, but do you use Ipsec site to site or OpenVPN to connect to the first VPN

 

I did a test here now with AnyConnect here and it worked perfectly, got through my company's vpn, I also have several layers of vpn like you but this is handled by an ER8411 and a router from unifi that handles Wireguard and OpenVPN for me to move on to my clients' network securely through a central VPN server in the office.


so let's start with your first VPN,

 

 

  0  
  0  
#2
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-22 12:23:13

  @MR.S 

 

The first VPN is setup in Windows, using SSTP with CHAP 2, no EAP.  No special application of sorts.  Back in the ER605, I have no settings enabled other than the factory defaults.  I might also add that it works fine when I'm using my cell as a hotspot, which is what made me suspicious of the ER605. 

 

 

 

  0  
  0  
#3
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-22 12:32:51 - last edited 2024-01-22 12:33:53

  @Xexus 

 

SSTP use port 443 and problaby do Anyconnect the same so there should be no problem to get this thrue your router.

 

what firmware version is installed on your ER605?

 

 

  0  
  0  
#4
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-22 13:58:12

  @MR.S 

 

I was on 1.2.1 Build 20220512 until I read your reply, but then I upgraded to ER605(UN)_V1_1.3.1 Build 20231207 (the latest).  Didn't fix the issue, but never hurts to be on the latest version. (Upgraded my switches and AP too).

 

 

 

 

  0  
  0  
#5
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-22 14:28:26 - last edited 2024-01-22 14:29:23

  @Xexus 

 

Ok, so it's not that easy to figure out. the question is whether you must consult with those who have SSTP and AnyConnect VPN and ask if they can see anything in the logs. on TP-Link there aren't that many logs that can reveal such errors.. possibly play the ball over to TP-Link to hear what they think.

 

@Clive_A is our man on the forum maybe he knows more.

 

I also use SSTP which is powered by Intune for our internal resources at work on my home computer but I haven't had any problems with the same as you.

My other VPN to manage remote network run on a cupple of routers in my home and handel this automatic and have nothing to do with SSTP, 

 

so sorry that I cant help you more. I will folow this thread to se if there any solution smiley

 

 

 

 

 

  0  
  0  
#6
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-23 01:13:40

Hi @Xexus 

Thanks for posting in our business forum.

Give a diagram, please. I am not following this from the beginning so I'd start over with a map which might be helpful for me to get a grasp of what's going on.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-24 06:52:34

  @MR.S 

I appreciate your thoughts on that, and now I've got all my devices on latest firmware which I hadn't checked for a while :)

 

  @Clive_A 

 

A crude map, but in a nutshell I've got this.  The red line is what I'd like to do, and the blue line through the Linksys is my workaround solution.

The Company VPN is setup in Windows:  Just an address to connect to, and the details say SSTP and CHAP enabled.  That gets me to many of my workplace tool.

 

However some also require AnyConnect.  When I enable that, I can no longer route to the tools that were available with just the first VPN. 

 

My engineering team couldn't figure out why, but recommended adding a second router between the PC and the ER605 (the Linksys).  That did work, though I don't know why it does.  They also suggested putting it on the ER605's DMZ, but I discovered that wasn't actually necessary to solve the problem.

 

When I use an AT&T hotspot connected directly to the PC I don't have to use the Linksys at all to access all of the work tools.  So the problem seems to be between my PC and the ER605, and the Linksys is apparently correcting whatever routing failings that I have without it.  

 

Over a year ago, this did work normally without needing the Linksys at all.  I've tried firmware updates, a factory default reset, and have played with the ER605 VPN features though my knowledge of VPN trobleshooting is at best just making sure I've got the right server and login credentials.

 

Thank you for giving it some thought. :)

  0  
  0  
#8
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-24 07:25:26

  @Xexus 

 

A short comment before I go to work, check  route details on Anyconnect VPN. is it like this is full tunnel and resurs outside tunnel is not aviable..

 

  0  
  0  
#9
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-24 08:30:33
0.0.0.0/0 is a Non-Secure Route. The full listing is rather large, as is with the secure routes.
  0  
  0  
#10
Options
Re:ER605 - VPN passthrough vs one domain
2024-01-24 09:08:14

  @Xexus 

 

Do you have something that looks like this?
So if none of the secured routes are in conflict with other resources, it should work..

 

  0  
  0  
#11
Options