FLEX 200 VPN Failover

Options
nielsscheldeman
nielsscheldeman Posts: 114 image  Ally Member
First Comment Friend Collector Third Anniversary
in Security

I have a client with 2 sites

Site A: ZyXEL FLEX 200 with dual WAN (2 different ISP's) enabled, both ISP's static IP

LAN1: 192.168.25.0/24
VLAN13: 192.168.13.0/24

VPN Tunnels:

  • Local_LAN1<->Remote_LAN1 (S2S with static peer)
  • Local_VLAN13<->Remote_LAN1 (S2S with static peer)
  • Failover_Local_LAN1<->Remote_LAN1 (S2S with dynamic peer)
  • Failover_Local_VLAN13<->Remote_LAN1 (S2S with dynamic peer)

Site B: ZyXEL FLEX 200 with dual WAN (2 different ISP's) enabled, 1 ISP Static IP, other wan dynamic)

LAN1: 10.0.0.0/24
VPN Tunnel:

  • Local_LAN1 <-> Remote_LAN1 (Peer gateway Address primary and secondary configured
  • Local_LAN1 <-> Remote VLAN13 (Peer gateway Address primary and secondary configured)

The internet failover works fine, also the VPN tunnel failover works fine. However, when it failovers, the hosts still can't see the other side anymore, unless I add routing rule and add "Next-Hop" and then insert the other tunnel as Next Hop on Site A. I tried to add 2 routing rules and thought it would work through priority, but this doesn't work.

Or am I doing this completely wrong and should I work with DynDNS or something like that and then only connect these addresses?

Or should I enter on both sides on "My Address" 0.0.0.0 and then only insert the static addresses in Peer gateway address from the other side?

All Replies

  • PeterUK
    PeterUK Posts: 4,502 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited May 13

    yes you should try both sides with My Address" 0.0.0.0 because you have dual WAN so if you use Interface you can only set one WAN

    Do you have two Tunnels with the same local policy and remote? as that could be a problem where routeing stick to one tunnel

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,536 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited May 19

    Hi @nielsscheldeman ,

    The internet failover works fine, also the VPN tunnel failover works fine. However, when it failovers, the hosts still can't see the other side anymore, unless I add routing rule and add "Next-Hop" and then insert the other tunnel as Next Hop on Site A. 

    Just to clarify — when you added a routing rule with the failover tunnel as the Next Hop on Site A, were the hosts on both sides able to communicate with each other successfully? If so, could you please provide the following:

    1. Routing Rule Details
    Please share the routing rule(s) you configured, including:

    • Source/Destination network (e.g. 192.168.25.0/24 → 10.0.0.0/24)
    • Next-Hop interface (which tunnel was selected)
    • Priority

    2. Diagnostic Files (without the routing rule)
    Please remove/ disable the routing rule temporarily, then download the diagnostic file from both USG Flex 200 units.

    Zyxel_Judy

  • nielsscheldeman
    nielsscheldeman Posts: 114 image  Ally Member
    First Comment Friend Collector Third Anniversary
    edited May 19

    I have now set both sides on 0.0.0.0 for my address and entered both static addresses on remote address on both firewalls. So without failover tunnel now, but with secondary IP(and both sides nailed up).

    Client is currently testing this out, so we'll see :)

    @Zyxel_Judy : both sides were indeed able to communicate after I disabled the first routing rule on priority 1 where traffic passes the first tunnel. It kept trying to use that tunnel even if it was offline. If I disabled that rule, all went well throught the failover tunnel.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)