Im having a weird issue with relation to Traffic Policy Routing / VPN / Load Balancing which Im hoping someone can confim as a bug or point out what I may be doing wrong.
Here is my Setup :-
Site 1 (Main Site)
3 Internet Connections
Local Ip Range -> 172.20.2.x
VPN Server Range -> 172.27.156.x
Load balanced with VPN as Dedicated Connection.
Site 2 (Remote Site)
2 Internet Connections
Local IP Range -> 192.168.1.x
VPN Server Range -> 172.28.56.x
Load Balanced with VPN as dedicated Connection
Now we have an Asterisk Phone System at each end. We have IAX Trunks which use TCP/UDP Port 4569 for communication. Now we also IAX trunks originated from outside the network so I have Port 4569 translated to the Internal IP address of the Asterisk Box when the Source is the Internet.
I also have a Full Access Rule For the Asterisk Server (Remote Site) which dictates a Source of 192.168.1.116 (Asterisk Internal IP), a destination of the internet, Service is ANY, Action is Allow and Tranlation is set to NAT(VPN) so it is forced out the VPN connection.
On initial setup this all works perfectly but then after a day or so the IAX trunks drop out and fail to connect. Troubleshooting the problem always leads me to the ASterisk Full Access Rule causing the issue. When I put a trace on this connection I see all the packets for the VPN being matched by this rule. So I see a packet from 192.168.1.116 With a Source Port of 4569 and a Destination IP address of 172.20.2.6 (Remote Asterisk IP across VPN) being matched by this rule.
This should not be the case. The destination in this rule is set to the Internet so why is a detination of 172.20.2.6 being matched as the Internet when it should be picked up as a VPN Address??
The really weird thing is it work for a day or two then fails. To make it work again, you disable the Full Access Rule, then the Internal IAX trunks come back but the external Ones drop offline, then you restart the kerio Service and re-enable the rule and 8 times out of 10 both Internal and External trunks comes online again for another day or two..
Any advise / ideas?
- Jan Jezek (Kerio)
Your setup is probably too complex to be fully understandable from the description. You should include screenshots of Interfaces and Traffic Policy of both sites. I would also suggest to contact tech support with this.
Product Development Manager - Kerio Control
Kerio discussion forums are intended for open communication between forum
members and may contain information and material posted by members which may
be useful in learning about Kerio products. The discussion forums are not
intended to provide technical support for any specific product. Any
information implied or expressed in the discussion forums is that of the
posting member. Kerio is in no way responsible for the information posted in
the forums, or its accuracy. Kerio employees may participate in the
discussions, but their postings do not represent an offical position of the
company on any issues raised or discussed. Kerio reserves the right to
monitor and maintain the forums to promote free and accurate exchange of