NSG50 Nebula Site to Site VPN stopped working

bektek

Not sure exactly when this happened, but I have two sites with NSG50's and they have been working for a few years flawlessly using the Nebula VPN just to carry some VoIP traffic between phone systems, very low usage.

A few weeks ago the customer reached out to us because they couldn't call site to site. After getting a tech onsite and resetting the equipment we determined that the site to site VPN would not come up between the two routers. Both are connected directly to the ISP's public Internet with no additional routers and have DHCP IP addresses from the ISP. I can ping between the two routers successfully using the Ping command in Nebula but the VPN will not connect. Rebooting the devices had no effect. Both sit within the same DHCP scope from the ISP and share a common gateway on the public interface.

I went so far as to remove the NSG50's from each sites and wait to 10 minutes then readd them to clear the configuration and reload it in case it got corrupted but the VPN will not come up. Essentially this is what I am seeing in the logs on both routers but it goes no further (the firewall entries are not related to the VPN). Any ideas here?

Zyxel_Kay

Hi @bektek

After reviewing the issue, we noticed that the two NSG50 devices are unable to reach each other.

However, our tests from Zyxel's network show that we can successfully reach both NSG50 devices, indicating that ICMP packets are not being blocked by their WAN interfaces.

The connectivity issue between the two NSG50s is preventing the site-to-site VPN from even establishing Phase 1, resulting in "Peer not reachable" logs since the ISP switch to fiber and new public IP addresses on September 6th.

(You can find more details in the attached CSV files sent via private message.)

Time	Category	Source IP	Destination IP	Detail
2024/9/6 08:04	vpn	2**...227	2**...230	Peer not reachable

Time	Category	Source IP	Destination IP	Detail
2024/9/6 08:01	vpn	2**...230	2**...227	Peer not reachable

We’ve also confirmed that both NSG50 devices have the correct interface IP addresses and VPN configuration in place.

Zyxel_Kay

Hi @bektek

Thank you for reaching out to us!

Since the site-to-site VPN has been functioning for years, could you confirm if there were any configuration changes or updates made in the past few weeks? This could help us narrow down potential causes.

Additionally, please enable Zyxel Support access and provide us with your Nebula organization and site names. This will allow us to investigate the issue directly on your sites and assist with troubleshooting.

bektek

@Zyxel_Kay Thank you… PM sent.

Zyxel_Kay

Hi @bektek

After reviewing the issue, we noticed that the two NSG50 devices are unable to reach each other.

However, our tests from Zyxel's network show that we can successfully reach both NSG50 devices, indicating that ICMP packets are not being blocked by their WAN interfaces.

The connectivity issue between the two NSG50s is preventing the site-to-site VPN from even establishing Phase 1, resulting in "Peer not reachable" logs since the ISP switch to fiber and new public IP addresses on September 6th.

(You can find more details in the attached CSV files sent via private message.)

Time	Category	Source IP	Destination IP	Detail
2024/9/6 08:04	vpn	2**...227	2**...230	Peer not reachable

Time	Category	Source IP	Destination IP	Detail
2024/9/6 08:01	vpn	2**...230	2**...227	Peer not reachable

We’ve also confirmed that both NSG50 devices have the correct interface IP addresses and VPN configuration in place.

bektek

Yes, thank you for confirming. I went onsite to both locations and was able to replicate your findings although I swear I could ping between them last week. This seems to fall directly into the ISP's lap as an issue that they are blocking the connectivity between these locations and I have ticket open with the NOC center to rectify the issue. Thank you.