VIA client traffic not going through the VIA tunnel.
Consider the below scenario:
VIA-Client ---- Independent Master Guest controller ---- L3 Router ---- Independent Master Production controller.
Here the VIA client is a laptop/PC that is connected wired to a Master Guest Controller. This VIA client can reach the Master Production controller IP via L3 Router, however it cannot access any other resources that are part of Production network. Hence the VIA client forms a tunneled VIA connection the Production Controller.
Here the VIA client forms the VIA tunneled connection with the Production controller fine without any issues.
VIA Client Physical Wired IP: 10.237.96.5/24
VIA Client DHCP server IP: 10.208.30.18
VIA Client Virtual Adapter IP: 10.232.232.92/24
VIA Client Virtual Adapter DNS IP: 10.208.30.18
Problem here is that When the VIA client tries to access anything on internet, it is not able to. DNS resolution for website fails. Even pinging the DNS server doesnt work. Eventually instead of tunneling the traffic back to the Production, the traffic is actually getting routed through the local controller. VIA client is not sending the traffic through the VIA tunnel and hence is not able to access internet.
Analyzing the situation and scenario, we confirmed that the traffic should be going to the Production Master Controller. Instead, the traffic was seen on the Master Guest Controller using the command "show datapath session table".
We found out that there was a static route entry on the VIA client route table which mentioned that all the traffic going for DNS IP 10.208.30.18 should not be going through the tunnel. Below is the snippet of the routing table of the client:
IPv4 Route Table
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.237.96.5 10.237.96.79 20
0.0.0.0 0.0.0.0 On-link 10.232.232.92 10
10.208.30.18 255.255.255.255 10.237.96.5 10.237.96.79 11
10.208.30.194 255.255.255.255 10.237.96.5 10.237.96.79 11
10.232.232.0 255.255.252.0 On-link 10.232.232.92 261
10.232.232.92 255.255.255.255 On-link 10.232.232.92 261
From the above routing table we confirm that the traffic was going through the wired gateway instead of it being pointed to the Onlink (VIA tunnel).
On removing this route entry from the VIA client routing table, things were working fine.
While Establishing VPN tunnel, VIA creates a direct route to the DHCP server so that the DHCP server is directly accessible outside the tunnel. Without this the client system will not be able to renew the DHCP address for the physical adapter on expiry.
Incidentally in this scenario, the DHCP address for the wired client and the DNS server of the VIA Virtual Adapter is same.
Hence the traffic will always go through the direct route created and will never go through the VIA tunnel. For the same, we were noticing the traffic coming on the Guest Controller and not on the Production controller.
It is always recommended to have a separate DHCP and DNS server for wired and VIA clients. Same DHCP/DNS server for wired and VIA clients can cause this behavior.