Every FQDN had its Expire cache by TTL disabled?

Options
PeterUK
PeterUK Posts: 4,272 image  Guru Member
250 Answers 2500 Comments Friend Collector Eighth Anniversary
edited November 12 in USG FLEX H Series

USG FLEX 700H V1.36(ABZI.0)

Some how over 400 FQDN had its Expire cache by TTL to disable so I'm thinking something nebula changed it?

Not that this is a problem its just I should be the one to change it.

So a backup config I have a copy the FQDN TTL back in

so like this is a snippet when it was fine

/ object address-object address "stickyadstv_com" "type" "fqdn" "*.stickyadstv.com" "expire_ttl" "true"
/ object address-object address "amazonaws_com" "type" "fqdn" "*.amazonaws.com" "expire_ttl" "false"
/ object address-object address "gstatic_com" "type" "fqdn" "*.gstatic.com" "expire_ttl" "true"

then

/ object address-object address "stickyadstv_com" "type" "fqdn" "*.stickyadstv.com"
/ object address-object address "amazonaws_com" "type" "fqdn" "*.amazonaws.com"
/ object address-object address "gstatic_com" "type" "fqdn" "*.gstatic.com"

You can see some how the true and false expire ttl got removed

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,263 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    This is a side effect when disabling/enabling the manual link VPN entry. This is an unexpected behavior, and we are checking on this. I will update you once I get further information.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,272 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Thanks for the reply

    Hmm…odd how something unrelated cold impact the other…I guess changing one thing like manual link VPN entry uploads the whole config changes from nebula?

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,263 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    https://community.zyxel.com/en/discussion/comment/81479#Comment_81479

    Yes. Please allow me to correct that this is not an unexpected behavior. When disable manual link VPN on Nebula, to ensure the configuration consistency and works, Nebula will push all configuration. And because currently the address object doesn't support "Expire cache by TTL", so the Nebula push the configuration with "Expire cache by TTL" disabled.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,272 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 14

    I think its the other way round when Nebula push the configuration without the 

    "expire_ttl"

    option for true or false its default is true but the local UI shows false but really its true which would explain why *.amazonaws.com was having a problem.

    so really if your going to do Nebula with local UI you really should include the config correctly or add all of the options local UI has to Nebula to avoid this from happening.

    Thanks

    strange things happen with doing trinary😉

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,263 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    Yes, Nebula will have the Expire cache by TTL option for the FQDN objects in future release.

    ETA is about 2026 Q2. Please follow the Nebula release category for future support news.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,272 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    Great thanks

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)