XG Firewall v18 MR-3: Feedback and experiences

Hi Carlos,

We will try to reproduce the problem in our lab. In the mean time, could you please upload the config on HO and BO here ? Or if you could share the access to your device, we will debug the issue.

Hi Argo,

We would have checked this issue in the lab, but we dont have the Draytek box. Will it be possible to share the device for debug ?

on the remote Firewall check the routes with route -e and on advanced console with console> system ipsec_route show

we have a case open where the routes into the tunnel are not visible and the XG does not know that the network is behind ipsec0 virtual interface. although on Web GUI in Diagnostics - Route lookup it lists the correct gateway.

Unlikely this is caused by the routing precedence. Instead the Policies of the Ipsec routes are a. deleted or b. the SA is dead. 

Hence XG will use the routing precedence. 

I would expect, that the VPN SA dies somehow. Thats kinda frequently seen issue, if there are problems with the tunnel itself. 

Hi LHerzog.

Thanks by reply, I just check  system ipsec_route show and the information are not visible

But only for information, we have a devices running with v18 MR1, with the same configs related.

Ipsec + SDWAn rules and it is working as expect. But checking it now, I cannot see the ipsec routes too.

regards

Carlos

Those cish ipsec_routes are "manually configured routes". Not the basic SA routes.

Please check the #ipsec status

Hi LuCar Toni, thanks by reply.

I believe that Ipsec routes are not deleted, because the problem does not happen with all network and yes with some hosts.

Eg. Host 1 from BO has this problema while Host 2 from BO continue to usage VPN without problem.

In this moment I have disabled the SDWAN rule and the problem it seems does not happen. Im still try identify where is the cause.

Regards

Carlos

Hi LuCar Toni

It is Ok

Please open another thread to keep the visibility here. 

Feel free to delete your comments here. 

Had the same problem on a XG210 HW v3, had to revert to MR1-396.
Intermittent ping reply between zones LAN/DMZ/VPN. Active Directory replication got too strange and a DAG Exchange Cluster got failed with server behing XG210 being considered offline.
Other 2 appliances on different hardware doesn't seem to be affected but restored everything to the MR1-396 and suddenly all services started working well.