S2S VTI tunnel problems with vpn accel on

dphonovation · ‎2023-01-19

I'm trying to setup a Site2Site tunnel and it seems "half" working.

For now I'll only troubleshoot one side of the connection:

The remote side is 10.40.171.0/26

Local side is: 10.30.171.0/26

10.40.171.5 can wget a http page on 10.30.171.62 but cannot ping it.

My firewall which has the directional matching for this site2site is allowing all and I can see the ping coming in. And tcpdump on 10.30.171.62 also sees it, but the reply doesn't seem to come back to 10.40.171.5

However, if I turn off vpn accel (vpn accel off) - it works. And I'm not sure why.

the_rock · ‎2023-01-19

I dont know for sure if regular VPN debugs would help when that feature is off, but TAC case might be worth it to confirm. Maybe do comparison of vpnd.elg file when it works and when it fails.

PhoneBoy · ‎2023-01-19

If disabling SecureXL "solves" an issue, the TAC needs to be involved.
However, I suspect the directional match may be the issue (or at least related).

the_rock · ‎2023-01-19

He mentioned vpn accel off, but not sure if that changes the situation...

PhoneBoy · ‎2023-01-19

Yeah, it's still effectively disabling SecureXL (albeit for VPN traffic).

the_rock · ‎2023-01-19

Ah, I see what you mean.

Are you a member of CheckMates?

S2S VTI tunnel problems with vpn accel on