1. Crestron
  2. Теми

4-Series Processors, SSL, and VPN connection

 

Hello,
 
I have a site with two 4 series processors, one CP4n and one Zum-Hub4. Both devices have SSL enabled. One TSW-770 connects to both devices and this device also has SSL enabled. On-site, I can connect to all three devices without issue. Our office has a site-to-site VPN. From my desktop, I am able to connect to the TSW and every non-Crestron device on the AV VLAN, however, I am unable to connect to either processor. Neither processor responds to a ping, if I run a wireshark, I get no reply back from the two processors. I've also tried an SFTP connection through Filezilla (TSW no problem, processors timeout) and SSH through putty (TSW no problem, processors timeout).
 
As a troubleshooting step, we created a single user VPN. Through that I am able to connect to all the processors without an issue. The only difference we can see between the two is that the single user VPN, my computer receives an IP address on the customers network while on the site-to-site VPN, my computer keeps its IP on our network.
 
I'm curious if anybody has any insights as to why I would be unable to connect to the processors over the site-to-site VPN but have no issue with the TSW? I've checked the def router and the settings are the same on processors and TSW. I've also contacted TrueBlue and they are telling me that SSH must not be configured correctly, which I don't agree with seeing as I have no issue connecting to the TSW with SSH.
 
Any insight would be appreciated.
 

My guess is you forgot to put the default gateway or have it wrong on those processors.
 

The only difference we can see between the two is that the single user VPN, my computer receives an IP address on the customers network while on the site-to-site VPN, my computer keeps its IP on our network
 
yeah, that’s why.
 

My bet is the IP range in your office is the same as on the control subnet of the processors, IIRC that's by default 172.22.0.0/24.
 
 
You can change the IP range on the processors through toolbox in the ethernet settings or with the text console command csrouterprefix. If you're using the control subnet you may want to power cycle the devices on there for them to grab an IP in the new range, if you have addressed some with static addresses you also need to change that to the new IP range manually.
 

Have you confirmed the correct subnet mask and default route on the processors? 

If your single user VPN gets an address on the same subnet as the devices there is no routing (at least as far as the devices are concerned) so traffic would work, but if the mask is incorrect (such that the devices think something is subnet-local when it actually needs to be routed) or default route is incorrect (such that devices can't figure out how to get from a to b) it won't work for devices on another subnet

From: crestron@groups.io <crestron@groups.io> on behalf of VVDubs23 via groups.io <stevenb@...>
Sent: Friday, November 15, 2024 1:38:24 PM
To: crestron@groups.io <crestron@groups.io>
Subject: [crestron] 4-Series Processors, SSL, and VPN connection
 
Hello,
 
I have a site with two 4 series processors, one CP4n and one Zum-Hub4. Both devices have SSL enabled. One TSW-770 connects to both devices and this device also has SSL enabled. On-site, I can connect to all three devices without issue. Our office has a site-to-site VPN. From my desktop, I am able to connect to the TSW and every non-Crestron device on the AV VLAN, however, I am unable to connect to either processor. Neither processor responds to a ping, if I run a wireshark, I get no reply back from the two processors. I've also tried an SFTP connection through Filezilla (TSW no problem, processors timeout) and SSH through putty (TSW no problem, processors timeout).
 
As a troubleshooting step, we created a single user VPN. Through that I am able to connect to all the processors without an issue. The only difference we can see between the two is that the single user VPN, my computer receives an IP address on the customers network while on the site-to-site VPN, my computer keeps its IP on our network.
 
I'm curious if anybody has any insights as to why I would be unable to connect to the processors over the site-to-site VPN but have no issue with the TSW? I've checked the def router and the settings are the same on processors and TSW. I've also contacted TrueBlue and they are telling me that SSH must not be configured correctly, which I don't agree with seeing as I have no issue connecting to the TSW with SSH.
 
Any insight would be appreciated.
 

Thank you for all the suggestions, everyone.
 
The two processors and touchpanel are all on DHCP, plugged into the same switch. Their gateway/subnet mask information are all received from the DHCP server and therefore are the same. I can reach the touchpanel with no issue. 
 
dblpnt - This looks like the right answer. I'll have to wait until I'm onsite to check, but this makes perfect sense!

1 - 6 з 6