USG FlexH500 HA / VPN Ike2 Cert

Fred_77
Fred_77 Posts: 123  Ally Member
5 Answers First Comment Friend Collector Fourth Anniversary

Hi everyone, I need to setup a client-to-site ike2 VPN with a self-signed certificate on a pair of Flex 500H in HA. My question: What happens to the certificate when failover occurs? Will external clients continue to connect? Or not?

Thanks in advance

Lorenzo

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,116  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Fred_77,

    I apologize for my miss that I didn't reply to your comment.

    For the license issue, I will send you a private message for the org access and the device MAC address to check this issue.

    Zyxel Melen


All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,116  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @Fred_77,

    When you import, the certificate is applied to the HA master and slave. Therefore, the remote access VPN client's connection should not be affected.

    May I know if you encountered any issues in this scenario?

    Zyxel Melen


  • Fred_77
    Fred_77 Posts: 123  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    Hi @Zyxel_Melen ,

    Yesterday we had a test session on devices. This is what we did:

    Flex500H-01 and Flex500H-02: directly connected to the ISP router (Ge1)

    Lan1 (Ge5) connected to our MGMT laptop.

    Flex500H-01

    Wizard first run, joined to customer's nebula org in HQ-Site.

    Just few changes from default configuration.

    Interfaces:

    Wan ip x.y.z.76/28

    Wan gw x.y.z.65/28

    Lan1 IP 192.168.168.1

    Lan2 IP 192.168.169.250

    System=>Settings

    Https port 9443

    System=>Certificate

    Created a new self signed cert.

    Object=>User&Auth=>Users/Group:

    Created a user to test vpn

    VPN=>IPSec=>Remote Access:

    Configured a client to site VPN IKE2 with cert.

    Flex500H-02

    Wizard first run, joined to customer's nebula org in "Temp-Site".

    Just few changes from default configuration.

    Interfaces:

    Wan ip x.y.z.75/28

    Wan gw x.y.z.65/28

    System=>Settings

    Https port 9443

    No other config made.

    Both devices run latest firmware, same license/signature

    So far, so good.

    Enabled HA on Flex500H-01 as primary,

    active ip 10.10.10.4/24

    passive ip 10.10.10.5/24

    monitored interface Ge1 (only link down)

    Enabled Ha on Flex500H-02 as secondary

    Linked devices via HB on port 12.

    As expected secondary device removed from Temp-Site (still visible in inventory on NCC), all ports disabled except HB, responding at 10.10.10.5

    On active device everything "SEEMS" ok: devices paired and license expiration date postponed by one year.

    But good news end here.

    Active device reports "Sync fail"; passive device kept it's own configuration.

    Tryed anyway faiover unplugging ge1 on active device.

    After 5 sec. devices swapped role (but not the configuration).

    Reconnected ge1 on "now-passive" device, waited a while, and unplugged ge1 on active device.

    I would have expected another role swap and instead...

    BOOOM

    both devices unreachable not responding to ping.

    Only solution, turn off both devices and turn them on one at a time.

    Primary (Active) device reports HA status "paired"; "none" as last sync; and ALL LICENCES EXPIRED!

    As a final test, I tried to force sync with cli in the web console, to no avail. Still "sync failed".

    Discouraged, I stopped testing.

    Thanks in advance for any suggestions

    Lorenzo

  • Fred_77
    Fred_77 Posts: 123  Ally Member
    5 Answers First Comment Friend Collector Fourth Anniversary

    Hi all,

    Update

    i did several tests and after a non-sense sequence (IMHO), HA works as expectec.

    I had to:

    disable SSH and FTP

    Reboot

    enable SSH and FTP

    Reboot

    Note that the same sequence without 2 restarts did non fix the problem.

    I can now force a manual full sync successfully.

    Licenses still expired.

    Thanks in advance

    Lorenzo

  • Zyxel_Melen
    Zyxel_Melen Posts: 3,116  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @Fred_77,

    I apologize for my miss that I didn't reply to your comment.

    For the license issue, I will send you a private message for the org access and the device MAC address to check this issue.

    Zyxel Melen