Hey guys,
Apologies if I posted this in wrong place, but since its related to change on management object, figured its correct, but it affected VPN tunnels, so admin can move it if needed.
Anyhow, this was the situation. Customer originally had mgmt object hide nat behind gateway (in this case their cluster) and this worked fine. Then we introduced new gateway (also CP) and we had issues pushing SIC to it, so what we had to do is to get it connected to same mgmt server, create manual nat rule to say src new fw external IP, dst was the IP of external subnet /27 IP, and then translated dst was internal IP of mgmt server and this let us establish SIC and push policy.
Now, here comes interesting part. When we created VPN community between main data center cluster and this new CP 6200 fw, as soon as we would push policy, sic would break and policy would fail after 10 mins.
To mitigate this, though we knew VPN would never work this way, we created an interoperable object with same external IP and vpn domain as main new 6200 fw and put that in community and that let us apply policy.
After opening TAC case, we were told to actually change nat on mgmt to static and statically nat this to an unused IP from external /27 range and check option for "control connections" and this actually did bring up new vpn tunnel fine, BUT, it appears it broke remote access from our end to the customer.
We tried changing mgmt nat back to original cluster IP, but by mistake, rather than putting it as hide nat, we left static nat and original cluster VIP, which broke additional 2 VPN tunnels. WE reverted back, but still had same issues for about 36 hours or so and then appears tunnels came back. TAC did some testing when it was broken and told us that maybe there was nat entry stuck in connections table, so we would need to clear connections table on both members, but that might not be needed now.
Here are my questions and I hope someone can confirm this 100%.
1) Is it SUPPORTED to configure mgmt object as static nat to cluster external VIP?
2) Would config like that break VPN tunnels and if so, why did only 2 tunnels go down rather than all of them?
3) Why reverting this to original state we had when TAC gave us suggestion did not fix VPN tunnels?
4) Why would this also break remote access VPN?
5) "control connections" option for mgmt nat, is that ONLY used for VPN connections or something else as well?
Im sorry, I know its a long post, but I want to know all these things for my own sanity : - ). In all my 15 years dealing with CP, I had seen 4 customers use this setting for natting mgmt server, its not something commonly used at all.
Thanks as always!