Site-to-Site VPN Issues after Internet Connection Change
We have a problem in our company with the Nebula Cloud that is driving us crazy. We have 17 locations that are connected via Site-to-Site VPN (Hub-and-Spoke topology), or rather, were connected. When the peers try to connect to the hub, the VPN tunnel simply collapses in Phase 1. Nothing has changed with the ISP, the necessary ports are still open.
I have already replaced the firewall that serves as the hub. I have deactivated all Site-to-Site VPN settings and tried to set up a new network, without success. I am at a loss.
The only connection that could have caused the problems is a change in the internet connection at one of the locations. Exactly at the time when I reconfigured the gateway at one location from one internet connection to another, all VPN tunnels collapsed. Can a change in the public IP at one of the peers cause the entire VPN network to collapse? Strangely, locations that were not previously part of the VPN network can be added cleanly and establish a connection. Only the existing locations that were connected at the time of the change refuse to establish a tunnel.
Is there anything I can do to get the locations to reconnect?
Thanks for help!
Accepted Solution
-
Hi @GGSD_IT ,
We've been reviewing your Nebula organization and sites, and we'll update you if we find any issues.
At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues.
Regarding your workaround solution: when you remove a device from the Nebula organization, it will automatically reset to its factory default configuration. There's no need to press the physical reset button.
Zyxel_Judy
0
All Replies
-
Hi @GGSD_IT ,
To better support you, could you please share the following information:
- Which firewalls (hub) were used before and after the replacement? Tell us the organization and site name as well.
- Which firewall (spoke) had its internet connection changed, causing all VPN tunnels to collapse? Tell us the organization and site name as well.
- Are all 17 locations using Zyxel firewalls within the same Nebula organization?
By the way, please follow the instruction to enable Zyxel support for our checking.
Zyxel_Judy
0 -
Hello @Zyxel_Judy,
Regarding your questions:
- All locations are part of the same organization, "Gemeinnützige Gesellschaft für soziale Dienste -DAA- mbH". At 15 of the 17 locations, we are using an NSG 50, and at the other two, a USG Flex 100.
- As hub, we are using the USG Flex 100, which was also replaced with the same model. The firewall is located at the site "Nürnberg HV Roritzer - Schulnetz".
- The firewall (spoke), which is now connected to a new internet connection, is located at the site "Nürnberg LW - Schulnetz".
I have granted the invite Zyxel support as administrator.
0 -
@Zyxel_Judy
I seem to have found a solution, although it is very labor-intensive. Somehow, the firewalls in the Nebula Cloud got "stuck," at least concerning the VPN. At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues. I would now have to do this at all the remaining 15 locations, which unfortunately means a lot of effort. Is there perhaps another solution without having to drive hundreds of kilometers to each location? And what worries me is, what to do if the problem occurs again in a few months?0 -
Hi @GGSD_IT ,
We've been reviewing your Nebula organization and sites, and we'll update you if we find any issues.
At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues.
Regarding your workaround solution: when you remove a device from the Nebula organization, it will automatically reset to its factory default configuration. There's no need to press the physical reset button.
Zyxel_Judy
0 -
Hi @GGSD_IT ,
After checking your Nebula site and devices, we found that the problem is on the NSG50s. They all have incorrect VPN configuration that the Peer ID is not matched to the hub USG FLEX 100. The mismatched ID is for the previoius hardward of hub USG FLEX 100.
Please remove NSG50 from Nebula Org/Site as steps in my previous commnet, and add it back again, we believe that it can force the device to get the correct configuration and VPN can work.Zyxel_Judy
0 -
Hi @Zyxel_Judy
Meanwhile, the VPN is working again with most firewalls. Except for four sites, it was sufficient to only remove the firewall from the site for the others. For the remaining ones, it only works if I delete the firewall from the organization (which was already the case). I now hope that all tunnels remain stable and the problem does not recur. Thank you very much for the support.
0
Categories
- All Categories
- 434 Beta Program
- 2.7K Nebula
- 174 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 418 USG FLEX H Series
- 297 Security Ideas
- 1.6K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 43 Wireless Ideas
- 6.7K Consumer Product
- 269 Service & License
- 416 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4.1K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 87 Security Highlight