Hi there,
the reason of this post is that I have an architecture that was working perfectly until yesterday, but somehow when trying to upgrade the kind of equipments it doesn’t work anymore.
A/ FORMER architecture (working):
A.1. Equipments:
One Balance210 in central site
Several MAX HD2 enabling nomad users to connect to Intranet from various remote locations
ALL firmware the latest (uploaded 2 weeks ago)
B/ Flow of data:
B.1. Standard connection, for users who need to connect directly to Intranet:
User ----> MAX HD2 —(Speedfusion/—> Central site’s router ----> FW --/Speedfusion)–> BALANCE 210 ----> Intranet servers
- same path on the way back
B.2. Enhanced connection, for users who need privileged services to the Intranet:
Step 1: User ----> MAX HD2 —(Speedfusion±–> Central site’s router ----> FW --+Speedfusion)–> BALANCE 210
Step 2: _______________________________________________________ FW <-------------------- BALANCE 210
Step 3: _______________________________________________________ FW -------------------------------------------> Intranet servers
- same path on the way back
So, with that type of connection, Balance210 breaks the Speedfusion tunnel on packets’ arrival, sends them UN-TUNNELED back to the interface they came from (WAN1, connected to FW DMZ socket) and the FW processes the traffic before sending it to its final destination (Intranet)
B.3. Protected Internet connection, when users want to benefit the encryption of Speedfusion to the Internet, when they are in a hotel room for example:
Step 1: User ----> MAX HD2 —(Speedfusion±–> Central site’s router ----> FW --+Speedfusion)–> BALANCE 210
Step 2: _______________________Internet <---- Central site’s router <---- FW <-------------------- BALANCE 210
- same path on the way back
In this configuration, Balance210 breaks the tunnel and then sends back traffic UN-TUNNELED to the FW DMZ, last FW routes traffic to the Internet.
I’d like to stress the fact that I HAVE NO PROBLEM WITH THAT CONFIGURATION, that used to work perfectly with 2-year old HD2 and BALANCE210
C/ Elements of configuration
I’ll try here to explain briefly the configuration of devices:
- NO Drop-In
- Remote peer’s ID:
2.1. On HD2: public IP address of the FW (that forwards to the Balance, based on ports)
2.2. On Balance210: nothing - “Send All Traffic to”:
3.1. On HD2: (ID of the specific HD2’s Speedfusion tunnel)
3.2. On Balance: no configuration - this seems pretty obvious to me that Balance keeps persistency of sessions coming from HD2 boxes and send packets back to the appropriate tunnel ; so a specific tunnel SHALL NOT be mentioned here - Appropriate routes to the Intranet servers that are not directly seen by the Balance
- Routing Mode = NAT
D/NEW architecture (and problem!)
So the problem has started when I tried to replace HD2 with latest HD4, and Balance210 with latest Balance580 (latest firmware also, downloaded 2 days ago).
B.1. connection works, no problem.
BUT, as soon as, I try to have the Balance send back traffic UN-TUNNELED on the WAN1 interface, it’s very clear that actually the traffic coming from any HD4 on the Balance580 is TUNNELED again, back to the HD4. Indeed, when I log on a HD4, and traceroute to 8.8.8.8 DNS, I have the Private IP address of the HD4 that keeps displaying every 2 increments.
I’d like to mention that the TUNNEL is properly established, only the traffic that should be routed OUTSIDE of the tunnel back from the balance580 is NOT, whereas it was with previous devices.
Also, maybe the most disturbing to me is that I have the symptom, not only when I replace the 2 ends of the tunnel, but also when I replace only 1 end of the tunnel (HD2 replaced by HD4, Balance210 by Balance 580).
Any idea to help? 
Thanks,
GGI