We are setting up DMVPN routers for on-demand VPNs from our remote sites to HQ. our DMVPN routers have the front end exposed to internet and the back end is on our special DMVPN DMZ. When the VPN is built from the remote site traffic from the site comes into the DMZ and needs to be routed through the PA (5050) to the trusted interface (HQ LAN SEGMENT). The traffic is being blocked by policy and when I tried to put in a policy I get a L3 error. It think its because the traffic from the site is not part of the DMVPN ZONE. The DMVPN zone is 192.55.XXX.XXX but the traffic going through is on the 10.XXX.XXX.XXX network. Since the traffic being passed is not part of the ZONE I think that is causing the L3 error/message.
Any suggestions would be appreciated. (We wanted to use the DMZ approach so the traffic could be controlled, blocked, and scanned as required.)
I used to have a similar setup and we changed to just use the PAN's VPN and dynamic routing, OSPF, with costs so the VP would only be chosen if hte primary link went down. However from your description, I would say its possibly a routing issues? The PAN might not know where to rout the 192 network or there is no secondary path to/from the remote office on the PAN?
Please let me know if I didnt understand your question.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!