topic Re: Azure to On-Prem VPN policy change while VPN is down in Firewall and Security Management

Azure to On-Prem VPN policy change while VPN is down

Graham1 — Thu, 28 Dec 2023 00:27:30 GMT

I am currently testing CloudGuard Network. Previously I have a working Site-2-Site VPN working to my on-premises 6700. Both were managed by the same Management server (again on-prem).

Today I unfortunately had to change the External IP of my 6700 due to ISP requirements.

I am seeing that the 6700 is still using the old external IP which of course is failing:
# tcpdump -nni any host 20.151.201.XX and port 4500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
14:54:41.350998 IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x163), length 100 14:54:41.351001 ethertype IPv4, IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x163), length 100
14:54:41.550805 IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x164), length 100 14:54:41.550807 ethertype IPv4, IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x164), length 100
14:54:41.924931 IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x165), length 100 14:54:41.924933 ethertype IPv4, IP 64.114.54.YY.4500 > 20.151.201.XX.4500: UDP-encap: ESP(spi=0x03270274,seq=0x165), length 100

The only way I have fixed this previously is to push a new policy, which I can't do with the policy down.

My next thought is to attach a new temp public IP to the backend vnet, but I think the policy will block that too.
I do have a case open with Support, but thought I would try here as well.

Anything else I can try?

Re: Azure to On-Prem VPN policy change while VPN is down

Chris_Atkinson — Thu, 28 Dec 2023 03:14:10 GMT

If you are indeed testing I would suggest building the scenario so that Management traffic isn't via the VPN where possible.

Refer also sk104582.

Re: Azure to On-Prem VPN policy change while VPN is down

the_rock — Thu, 28 Dec 2023 05:09:37 GMT

Your last comment about backend vnet makes sense to me.

Best,

Andy

Re: Azure to On-Prem VPN policy change while VPN is down

PhoneBoy — Thu, 28 Dec 2023 17:35:12 GMT

Anytime you change the management IP (as the gateway sees it), you need to push a new policy.
On the gateway, you can do an fw unloadlocal, which unloads the existing security policy and should allow this.

Re: Azure to On-Prem VPN policy change while VPN is down

Graham1 — Thu, 28 Dec 2023 17:56:28 GMT

Thanks for the replies everyone. This was really strange one for me since I was seeing both ends of the VPN still trying to use the old IP of the on-prem GW, even though I updated the IPSEC VPN link selection (manual to external IP).

I spent some time with Support last night and they couldn't resolve the issue either and the next step was going to be upgrade from R81.10 take 66 to take 130. I did see that there are many VPN fixes in the versions between, but I only get yearly maintenance windows, unless emergencies occur.

I had pushed multiple polices for both ends since it is centrally managed, but no luck.

Finally the fix: remove GWs from the VPN community, install policy, re-add GWs to community and install policy again.

Re: Azure to On-Prem VPN policy change while VPN is down

the_rock — Thu, 28 Dec 2023 17:59:02 GMT

Odd you had to do that to fix the problem, but hey, as long as it works ; - )

Thanks for the update.

Best,

Andy