Maybe
I didn't explain myself too well. I can't see from your reply if you've
checked any of the routes on your mainframe. Can you ping the mainframe
from the webserver? If not, the issue is there, rather than with the
firewall. IP routing is a two-way street - the packet has to know how to
get back, too. Also, unless you're using IP Pool NAT, SR connections into
the internal network do not "initiate" from the internal firewall
interface. The client's packets run around on your internal network with
their ISP-assigned, external IP address. More to chew
on...
Dan Hitchcock CCNA, MCSE Network
Engineer Xylo, Inc. (formerly
employeesavings.com)
The work/life solution for corporate thought
leaders
Thanks for the response, Dan. The web server
makes the connection to the mainframe, and the client connects to the web
server via a browser. The routes to the mainframe exist at the web
server, and even with the default gateway of the web server pointing back to
the firewall (to account for any ISP issues, which I don't think would be a
problem due to SR "initiating" from the internal firewall interface), the
connection fails and a traceroute won't complete. Any other ideas are
appreciated!
Mark
Mark, I'm not sure from your message what the exact function of the
web server is. Is the connection to your 3270 device a TCP session
between the webserver and the 3270, or the end-user and the 3270? If
it is from the client, you might want to verify that the 3270 device has a
return path (i.e. default gateway) to get the packets back out to the SR
client. In other words, your SR client may have some arbitrary address
like 63.44.44.44 assigned by its ISP, and the 3270 must be able to route
that address back to the firewall performing the encryption, or no
go.
That's my initial thought. Please post with further details if
that isn't the issue. Good luck!
Dan
Hitchcock CCNA, MCSE
Network Engineer Xylo, Inc. (formerly employeesavings.com) The work/life
solution for corporate thought leaders
We have been successfully using SR for almost 6 months now, but I have
run into a new problem. My remote users are trying to access an internal
web server which acts as a web to host mediator to an offsite mainframe.
My web server is in the 172.16.x.x range of addresses, and it that is
included in my encryption domain. Connecting to it works fine. However,
when it tries to serve the 3270e session from the mainframe (which has an
IP in the 170.115.x.x net) it fails to connect, and I can't telnet to the
port on that server, either. It is obviously a routing issue, but I've
even added the 170 address as an object to my encryption domain and still
no-go. When I try to traceroute to the 170 address, it locks up the
clients if SR is running. I can see the packets being accepted and
decrypted at the firewall. TIA for any help.
Mark
P.S. Please post to the group or my other account, [email protected]. I
appreciate the consideration. I have suddenly been unable to post from
that account after 2 years without problems.
Thanks.
|