Site-to-Site VPN Issues after Internet Connection Change

GGSD_IT

We have a problem in our company with the Nebula Cloud that is driving us crazy. We have 17 locations that are connected via Site-to-Site VPN (Hub-and-Spoke topology), or rather, were connected. When the peers try to connect to the hub, the VPN tunnel simply collapses in Phase 1. Nothing has changed with the ISP, the necessary ports are still open.

I have already replaced the firewall that serves as the hub. I have deactivated all Site-to-Site VPN settings and tried to set up a new network, without success. I am at a loss.

The only connection that could have caused the problems is a change in the internet connection at one of the locations. Exactly at the time when I reconfigured the gateway at one location from one internet connection to another, all VPN tunnels collapsed. Can a change in the public IP at one of the peers cause the entire VPN network to collapse? Strangely, locations that were not previously part of the VPN network can be added cleanly and establish a connection. Only the existing locations that were connected at the time of the change refuse to establish a tunnel.

Is there anything I can do to get the locations to reconnect?

Thanks for help!

Zyxel_Judy

Hi @GGSD_IT ,

To better support you, could you please share the following information:

• Which firewalls (hub) were used before and after the replacement? Tell us the organization and site name as well.
• Which firewall (spoke) had its internet connection changed, causing all VPN tunnels to collapse? Tell us the organization and site name as well.
• Are all 17 locations using Zyxel firewalls within the same Nebula organization?

By the way, please follow the instruction to enable Zyxel support for our checking.

GGSD_IT

Hello @Zyxel_Judy,

Regarding your questions:

• All locations are part of the same organization, "Gemeinnützige Gesellschaft für soziale Dienste -DAA- mbH". At 15 of the 17 locations, we are using an NSG 50, and at the other two, a USG Flex 100.
• As hub, we are using the USG Flex 100, which was also replaced with the same model. The firewall is located at the site "Nürnberg HV Roritzer - Schulnetz".
• The firewall (spoke), which is now connected to a new internet connection, is located at the site "Nürnberg LW - Schulnetz".
  
  I have granted the invite Zyxel support as administrator.

GGSD_IT

@Zyxel_Judy

I seem to have found a solution, although it is very labor-intensive. Somehow, the firewalls in the Nebula Cloud got "stuck," at least concerning the VPN. At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues. I would now have to do this at all the remaining 15 locations, which unfortunately means a lot of effort. Is there perhaps another solution without having to drive hundreds of kilometers to each location? And what worries me is, what to do if the problem occurs again in a few months?

Zyxel_Judy

Hi @GGSD_IT ,

We've been reviewing your Nebula organization and sites, and we'll update you if we find any issues.

At one location, I deleted the firewall from the cloud, reset it, re-added it to the cloud, and reconfigured it. After that, the VPN connection worked again without any issues.

Regarding your workaround solution: when you remove a device from the Nebula organization, it will automatically reset to its factory default configuration. There's no need to press the physical reset button.