Secondary WAN drops all VPN tunnels with status change
Setup:
Site HQ- TZ470
X1- Comcast Fiber Static IP - 1.1.1.1. (Ip used for example)
X3 - Comcast Copper Static IP 2.2.2.2 (IP used for example)
Remote Sites:
8 Different Firewalls, SOHOs, SOHO 250's,
Dynamic IP's
Configuration:
X1 and X3 are in a WAN failover group with basic failover and X1 set as the top priority.
All remote sites have an aggressive IPSEC VPN back to HQ. In the VPN configurations in the remote sites, the primary IP is 1.1.1.1 and the secondary is 2.2.2.2
The tunnels were all established over the 1.1.1.1
Issue:
While all the remote tunnels are connected back to the HQ over the VPN of the X1 IP of 1.1.1.1, if we power cycle the modem that feeds x3 into the HQ TZ470, it drops all the VPN tunnels. Even though not a single VPN is connected over x3. X3 will no traffic will be passing over it, however, if we power cycle it or disable the x3 interface it drops all the tunnels and they re-establish back on the same X1 IP they were originally connected to.
The x3 coax circuit is unstable and will drop several times a week, and it drops all of our VPN tunnels even though the primary x1 is up, stable, and working. This makes no sense because X3 IP is listed as the secondary IP in the VPN settings on the remote sites.
any suggestions would be appreciated!
Answers
Whats your firmware version on the TZ470, the latest? What troubleshooting have you done? Are the VPN tunnels on the TZ470 set to use a specific interface (VPN Policy \ Advanced \ VPN policy bound to)? Aggressive mode is not recommended due to known vulnerabilities.
I'll have to double-check the TZ, it might be one version behind now. The tunnels are all bound to the WAN zone and not a specific interface. The remote sites are using aggressive mode because other than HQ, all the remote sites have dynamic public addresses...
You can use IKEv1 Main or IKEv2 for firewalls with ISP provided DHCP. Use Dynamic DNS. Set specific IKE ID's.
Aggressive mode should be avoided. I wonder if the issue you are describing (a secondary WAN interface drop causes IKE/IPSec connections on the primary WAN interface to re-establish) is due to Aggressive mode. What do the logs say about the re-establishment of the tunnels?
I looked through a million log entries but I didn't capture any,... I'll grab a few tonight when I simulate a fail-over
I'll try flipping a site over to IKEv2 tonight and compare the results... it changing those IKEv2 fixes it, that would be fantastic...
Do you have a good KB to reference for IKEv2 setup for one site being static and one site being dynamic? 7th Gen at HQ and Soho's are on 5.9 at remote sites...
Web searching is your friend...
I set the tunnels up last night with IKEV2, and made no change... I did upgrade the firmware of the 7th gen device to the latest version and it seems to fix the issue of the x3 interface dropping the tunnels... I toggled it on and off about 30 times last night... however, during the day today, the customer called with a down status again all the tunnels... I hoped in remotely and saw the interface showed down and the tunnels were dropped, and the x3 interface probe showed offline... everything reconnected a short time later.
Tonight after hours, I went in and disabled the x3 interface again, on and off, and on and off, and it never dropped the tunnels once!!!! frustrating to say the least...
I was going to flip them over to the tunnel interface but the majority of the remote sites are Soho's running 5.9... it seems much more configuration to make the tunnel interface work with 5.9 vs. 6.5
We are going to run the site tomorrow with x3 disabled and see what results present themselves.