Site-to-Site VPN Issues after Internet Connection Change

Options
GGSD_IT
GGSD_IT Posts: 5  Freshman Member
First Comment Friend Collector

We have a problem in our company with the Nebula Cloud that is driving us crazy. We have 17 locations that are connected via Site-to-Site VPN (Hub-and-Spoke topology), or rather, were connected. When the peers try to connect to the hub, the VPN tunnel simply collapses in Phase 1. Nothing has changed with the ISP, the necessary ports are still open.

Screenshot 2025-06-04 122206.png

I have already replaced the firewall that serves as the hub. I have deactivated all Site-to-Site VPN settings and tried to set up a new network, without success. I am at a loss.

Screenshot 2025-06-04 120742.png


The only connection that could have caused the problems is a change in the internet connection at one of the locations. Exactly at the time when I reconfigured the gateway at one location from one internet connection to another, all VPN tunnels collapsed. Can a change in the public IP at one of the peers cause the entire VPN network to collapse? Strangely, locations that were not previously part of the VPN network can be added cleanly and establish a connection. Only the existing locations that were connected at the time of the change refuse to establish a tunnel.

Is there anything I can do to get the locations to reconnect?

Thanks for help!

Accepted Solution

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    Answer ✓

    Hi @GGSD_IT ,

    We've been reviewing your Nebula organization and sites, and we'll update you if we find any issues.

    At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues.

    Regarding your workaround solution: when you remove a device from the Nebula organization, it will automatically reset to its factory default configuration. There's no need to press the physical reset button.

    image.png

    Zyxel_Judy

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @GGSD_IT ,

    To better support you, could you please share the following information:

    • Which firewalls (hub) were used before and after the replacement? Tell us the organization and site name as well.
    • Which firewall (spoke) had its internet connection changed, causing all VPN tunnels to collapse? Tell us the organization and site name as well.
    • Are all 17 locations using Zyxel firewalls within the same Nebula organization?

    By the way, please follow the instruction to enable Zyxel support for our checking.

    Zyxel_Judy

  • GGSD_IT
    GGSD_IT Posts: 5  Freshman Member
    First Comment Friend Collector

    Hello @Zyxel_Judy,

    Regarding your questions:

    • All locations are part of the same organization, "Gemeinnützige Gesellschaft für soziale Dienste -DAA- mbH". At 15 of the 17 locations, we are using an NSG 50, and at the other two, a USG Flex 100.
    • As hub, we are using the USG Flex 100, which was also replaced with the same model. The firewall is located at the site "Nürnberg HV Roritzer - Schulnetz".
    • The firewall (spoke), which is now connected to a new internet connection, is located at the site "Nürnberg LW - Schulnetz".

      I have granted the invite Zyxel support as administrator.
  • GGSD_IT
    GGSD_IT Posts: 5  Freshman Member
    First Comment Friend Collector

    @Zyxel_Judy

    I seem to have found a solution, although it is very labor-intensive. Somehow, the firewalls in the Nebula Cloud got "stuck," at least concerning the VPN. At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues. I would now have to do this at all the remaining 15 locations, which unfortunately means a lot of effort. Is there perhaps another solution without having to drive hundreds of kilometers to each location? And what worries me is, what to do if the problem occurs again in a few months?

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    Answer ✓

    Hi @GGSD_IT ,

    We've been reviewing your Nebula organization and sites, and we'll update you if we find any issues.

    At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues.

    Regarding your workaround solution: when you remove a device from the Nebula organization, it will automatically reset to its factory default configuration. There's no need to press the physical reset button.

    image.png

    Zyxel_Judy

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,317  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @GGSD_IT ,

    After checking your Nebula site and devices, we found that the problem is on the NSG50s. They all have incorrect VPN configuration that the Peer ID is not matched to the hub USG FLEX 100. The mismatched ID is for the previoius hardward of hub USG FLEX 100.
    Please remove NSG50 from Nebula Org/Site as steps in my previous commnet, and add it back again, we believe that it can force the device to get the correct configuration and VPN can work.

    Zyxel_Judy

  • GGSD_IT
    GGSD_IT Posts: 5  Freshman Member
    First Comment Friend Collector
    edited June 27

    Hi @Zyxel_Judy

    Meanwhile, the VPN is working again with most firewalls. Except for four sites, it was sufficient to only remove the firewall from the site for the others. For the remaining ones, it only works if I delete the firewall from the organization (which was already the case). I now hope that all tunnels remain stable and the problem does not recur. Thank you very much for the support.

Nebula Tips & Tricks