topic Re: Something to keep in mind when VPN tunnel is down in Firewall and Security Management

Something to keep in mind when VPN tunnel is down

the_rock — Sun, 23 Feb 2025 14:48:41 GMT

Hey guys,

I know these settings in Guidbedit might not always be relevent, specially in newer versions, but I did come across few scenarios lately, in R81.20 as a matter of fact, where we had to go to guidbedit and set below values to false to get VPN tunnel to work:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

I sometimes also check this on the gateway, though this was only problem few times, so probably not a requirement, but also something to consider:

gateway object -> other -> connection persistence -> I always check keep all connections

Andy

Re: Something to keep in mind when VPN tunnel is down

kamilazat — Mon, 24 Feb 2025 06:56:13 GMT

Yes! And this can become a daunting issue when trying to set up a tunnel with 3rd party peers. And if you're unlucky enough, even some TAC engineers forget to think about it and a simple solution as this turns into a repeated debugging and messaging back and forth.

Or if you pay attention during your studies for CCTE, hopefully it won't become that big of an issue 🙂

Re: Something to keep in mind when VPN tunnel is down

the_rock — Mon, 24 Feb 2025 12:18:42 GMT

Well, its good those sort of things dont happen too often these days, but just something to keep in mind, as I mentioned. Thats why we share ideas on here, to help others out 🙂

Andy

Re: Something to keep in mind when VPN tunnel is down

CaseyB — Mon, 24 Feb 2025 15:52:17 GMT

Do you think these still come into play when using granular encryption domains?

Re: Something to keep in mind when VPN tunnel is down

the_rock — Mon, 24 Feb 2025 16:03:06 GMT

Hey @CaseyB

I can only speak from my own experience and here it is 🙂

Ever since R80 came out, I had never seen this issue with Azure, AWS or Fortinet, ONLY with Palo Alto and Cisco. Cant say if thats case with others, but thats what I had observed.

Andy

Re: Something to keep in mind when VPN tunnel is down

the_rock — Tue, 25 Feb 2025 02:36:33 GMT

One thing I also found from time to time, depending on 3rd party vendor, is that say even if ONLY subnets are involved, you still may need to select "per gateway" in tunnel management tab of the VPN community.

Andy

Re: Something to keep in mind when VPN tunnel is down

G_W_Albrecht — Tue, 25 Feb 2025 09:56:43 GMT

Sources:

sk108600: VPN Site-to-Site with 3rd party

sk101219: VPN features in R80.x and R81.x versions

sk144094: VPN tunnels with 3rd party peers fail because of mismatched IDs

Re: Something to keep in mind when VPN tunnel is down

the_rock — Tue, 25 Feb 2025 14:53:51 GMT

All great references @G_W_Albrecht

Re: Something to keep in mind when VPN tunnel is down

the_rock — Tue, 25 Feb 2025 14:56:33 GMT

Btw, that last sk, never seen it before, but ran the command in R82 and it worked.

Thank you!

Andy