USG FlexH500 HA / VPN Ike2 Cert

Fred_77

Hi everyone, I need to setup a client-to-site ike2 VPN with a self-signed certificate on a pair of Flex 500H in HA. My question: What happens to the certificate when failover occurs? Will external clients continue to connect? Or not?

Thanks in advance

Lorenzo

Zyxel_Melen

Hi @Fred_77,

I apologize for my miss that I didn't reply to your comment.

For the license issue, I will send you a private message for the org access and the device MAC address to check this issue.

Zyxel_Melen

Hi @Fred_77,

When you import, the certificate is applied to the HA master and slave. Therefore, the remote access VPN client's connection should not be affected.

May I know if you encountered any issues in this scenario?

Fred_77

Hi @Zyxel_Melen ,

Yesterday we had a test session on devices. This is what we did:

Flex500H-01 and Flex500H-02: directly connected to the ISP router (Ge1)

Lan1 (Ge5) connected to our MGMT laptop.

Flex500H-01

Wizard first run, joined to customer's nebula org in HQ-Site.

Just few changes from default configuration.

Interfaces:

Wan ip x.y.z.76/28

Wan gw x.y.z.65/28

Lan1 IP 192.168.168.1

Lan2 IP 192.168.169.250

System=>Settings

Https port 9443

System=>Certificate

Created a new self signed cert.

Object=>User&Auth=>Users/Group:

Created a user to test vpn

VPN=>IPSec=>Remote Access:

Configured a client to site VPN IKE2 with cert.

Flex500H-02

Wizard first run, joined to customer's nebula org in "Temp-Site".

Just few changes from default configuration.

Interfaces:

Wan ip x.y.z.75/28

Wan gw x.y.z.65/28

System=>Settings

Https port 9443

No other config made.

Both devices run latest firmware, same license/signature

So far, so good.

Enabled HA on Flex500H-01 as primary,

active ip 10.10.10.4/24

passive ip 10.10.10.5/24

monitored interface Ge1 (only link down)

Enabled Ha on Flex500H-02 as secondary

Linked devices via HB on port 12.

As expected secondary device removed from Temp-Site (still visible in inventory on NCC), all ports disabled except HB, responding at 10.10.10.5

On active device everything "SEEMS" ok: devices paired and license expiration date postponed by one year.

But good news end here.

Active device reports "Sync fail"; passive device kept it's own configuration.

Tryed anyway faiover unplugging ge1 on active device.

After 5 sec. devices swapped role (but not the configuration).

Reconnected ge1 on "now-passive" device, waited a while, and unplugged ge1 on active device.

I would have expected another role swap and instead...

BOOOM

both devices unreachable not responding to ping.

Only solution, turn off both devices and turn them on one at a time.

Primary (Active) device reports HA status "paired"; "none" as last sync; and ALL LICENCES EXPIRED!

As a final test, I tried to force sync with cli in the web console, to no avail. Still "sync failed".

Discouraged, I stopped testing.

Thanks in advance for any suggestions

Lorenzo

Fred_77

Hi all,

Update

i did several tests and after a non-sense sequence (IMHO), HA works as expectec.

I had to:

disable SSH and FTP

Reboot

enable SSH and FTP

Reboot

Note that the same sequence without 2 restarts did non fix the problem.

I can now force a manual full sync successfully.

Licenses still expired.

Thanks in advance

Lorenzo

Zyxel_Melen

Hi @Fred_77,

I apologize for my miss that I didn't reply to your comment.

For the license issue, I will send you a private message for the org access and the device MAC address to check this issue.