Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MattElkington
Contributor

R80.40, SecureXL, VTI and Dynamic Routing

Has anyone run into issues using dynamic routing and VTIs post R80.10?

 

Last weekend I upgraded a customer firewall which was specifically used to terminate route based VPNs on.

 

6 VTIs configured, 4 numbered (2 for AWS, 2 for Azure), 2 unnumbered (other stuff).

Post R80.40 upgrade the unnumbered tuinnels came up fine, but both the AWS and Azure ones did not.  I could see outbound tunnels established, but nothing inbound, all of these tunnels are additionally using BGP.

Disabled SecureXL acceleration with "fwaccel off" and they leapt into life, again, enabling SecureXL and then disabling vpn acceleration with "vpn accel off" also allowed traffic to flow.

Now there may be some other issues going on, in that further examination showed that some of the BGP config was mismatched on the cluster, but I don't think it was this, as when I rolled the R80.40 member back to R80.10 it all worked again.

I have arranged a new window next weekend to re-attempt, but has anyone else run across anything like this?  It feels a weird coincidence that the VTI tunnels using dynamic routing don't work with acceleration, but the others do.

 

I'm also getting the feeling that ISP redundancy may be a bit iffy under R80.40 as well, as again I have another customer where it doesn't work correctly with acceleration turned on.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

If disabling SecureXL solves a problem, the TAC should be involved.

0 Kudos
MattElkington
Contributor

I have a case open with TAC, but wanted to see if anyone had seen anything similar.

I just find it strange that only the VTIs using BGP required acceleration to be disabled, but the ones without didn't.

0 Kudos
Tobias_Absmann
Explorer

Hi Matt,

I don't know if this is still relevant for you but we are experiencing similar problems:
1 Numbered VTI with Policy-based-routing:

With secureXL disabled everything works fine. With SecureXL enabled no traffic goes via the tunnel.
Our workaround right now is to disable SecureXL as it's only a very small office and the firewall can handle it easily without SecureXL, but as SecureXL can no longer be disabled persistently it's a problem after reboots (Power outages are common there)

Where you able to fix your problem?

Best regards,
Tobias

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events