topic Re: S2S VTI tunnel problems with vpn accel on in General Topics

S2S VTI tunnel problems with vpn accel on

dphonovation — Thu, 19 Jan 2023 20:03:25 GMT

I'm trying to setup a Site2Site tunnel and it seems "half" working.

For now I'll only troubleshoot one side of the connection:

The remote side is 10.40.171.0/26

Local side is: 10.30.171.0/26

10.40.171.5 can wget a http page on 10.30.171.62 but cannot ping it.

My firewall which has the directional matching for this site2site is allowing all and I can see the ping coming in. And tcpdump on 10.30.171.62 also sees it, but the reply doesn't seem to come back to 10.40.171.5

However, if I turn off vpn accel (vpn accel off) - it works. And I'm not sure why.

Re: S2S VTI tunnel problems with vpn accel on

the_rock — Thu, 19 Jan 2023 20:13:03 GMT

I dont know for sure if regular VPN debugs would help when that feature is off, but TAC case might be worth it to confirm. Maybe do comparison of vpnd.elg file when it works and when it fails.

Re: S2S VTI tunnel problems with vpn accel on

PhoneBoy — Thu, 19 Jan 2023 21:35:38 GMT

If disabling SecureXL "solves" an issue, the TAC needs to be involved.
However, I suspect the directional match may be the issue (or at least related).

Re: S2S VTI tunnel problems with vpn accel on

the_rock — Thu, 19 Jan 2023 22:31:48 GMT

He mentioned vpn accel off, but not sure if that changes the situation...

Re: S2S VTI tunnel problems with vpn accel on

PhoneBoy — Thu, 19 Jan 2023 22:59:10 GMT

Yeah, it's still effectively disabling SecureXL (albeit for VPN traffic).

Re: S2S VTI tunnel problems with vpn accel on

the_rock — Fri, 20 Jan 2023 00:50:28 GMT

Ah, I see what you mean.