USG FlexH500 HA / VPN Ike2 Cert






Hi everyone, I need to setup a client-to-site ike2 VPN with a self-signed certificate on a pair of Flex 500H in HA. My question: What happens to the certificate when failover occurs? Will external clients continue to connect? Or not?
Thanks in advance
Lorenzo
Accepted Solution
-
Hi @Fred_77,
I apologize for my miss that I didn't reply to your comment.
For the license issue, I will send you a private message for the org access and the device MAC address to check this issue.
Zyxel Melen0
All Replies
-
Hi @Fred_77,
When you import, the certificate is applied to the HA master and slave. Therefore, the remote access VPN client's connection should not be affected.
May I know if you encountered any issues in this scenario?
Zyxel Melen0 -
Hi @Zyxel_Melen ,
Yesterday we had a test session on devices. This is what we did:
Flex500H-01 and Flex500H-02: directly connected to the ISP router (Ge1)
Lan1 (Ge5) connected to our MGMT laptop.
Flex500H-01
Wizard first run, joined to customer's nebula org in HQ-Site.
Just few changes from default configuration.
Interfaces:
Wan ip x.y.z.76/28
Wan gw x.y.z.65/28
Lan1 IP 192.168.168.1
Lan2 IP 192.168.169.250
System=>Settings
Https port 9443
System=>Certificate
Created a new self signed cert.
Object=>User&Auth=>Users/Group:
Created a user to test vpn
VPN=>IPSec=>Remote Access:
Configured a client to site VPN IKE2 with cert.
Flex500H-02
Wizard first run, joined to customer's nebula org in "Temp-Site".
Just few changes from default configuration.
Interfaces:
Wan ip x.y.z.75/28
Wan gw x.y.z.65/28
System=>Settings
Https port 9443
No other config made.
Both devices run latest firmware, same license/signature
So far, so good.
Enabled HA on Flex500H-01 as primary,
active ip 10.10.10.4/24
passive ip 10.10.10.5/24
monitored interface Ge1 (only link down)
Enabled Ha on Flex500H-02 as secondary
Linked devices via HB on port 12.
As expected secondary device removed from Temp-Site (still visible in inventory on NCC), all ports disabled except HB, responding at 10.10.10.5
On active device everything "SEEMS" ok: devices paired and license expiration date postponed by one year.
But good news end here.
Active device reports "Sync fail"; passive device kept it's own configuration.
Tryed anyway faiover unplugging ge1 on active device.
After 5 sec. devices swapped role (but not the configuration).
Reconnected ge1 on "now-passive" device, waited a while, and unplugged ge1 on active device.
I would have expected another role swap and instead...
BOOOM
both devices unreachable not responding to ping.
Only solution, turn off both devices and turn them on one at a time.
Primary (Active) device reports HA status "paired"; "none" as last sync; and ALL LICENCES EXPIRED!
As a final test, I tried to force sync with cli in the web console, to no avail. Still "sync failed".
Discouraged, I stopped testing.
Thanks in advance for any suggestions
Lorenzo
0 -
Hi all,
Update
i did several tests and after a non-sense sequence (IMHO), HA works as expectec.
I had to:
disable SSH and FTP
Reboot
enable SSH and FTP
Reboot
Note that the same sequence without 2 restarts did non fix the problem.
I can now force a manual full sync successfully.
Licenses still expired.
Thanks in advance
Lorenzo
0 -
Hi @Fred_77,
I apologize for my miss that I didn't reply to your comment.
For the license issue, I will send you a private message for the org access and the device MAC address to check this issue.
Zyxel Melen0
Categories
- All Categories
- 418 Beta Program
- 2.6K Nebula
- 163 Nebula Ideas
- 110 Nebula Status and Incidents
- 5.9K Security
- 339 USG FLEX H Series
- 287 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 260 Service & License
- 403 News and Release
- 86 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.8K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 80 Security Highlight