Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site-to-Site VPN Local Subnet Becomes Unreachable due to Inactivity

Hello,

I'm experiencing the exactly same problem as the guy in this (sadly locked) thread:

 IPSec Site-to-Site VPN Local Subnet Becomes Unreachable due to Inactivity 

As the thread ends with him contacting the support and no real solution, I was wondering if someone knows the answer to this problem?

(Or some support technician can look up the solution from the case the guy openend).

Best Regards
Rob



This thread was automatically locked due to age.
  • So the old case was resolved but could not reproduced by the customer anymore. So to speak, the issue stopped occur. 

    Do you have any kind of logs from today to reproduce this? 

    __________________________________________________________________________________________________________________

  • @Ex4,

    If I chose to refer below topology that you might be using, its highly unlikely that sslvpn ra users will gain access to far end IPsec gateway's local subnet after flapping the IPsec tunnel. IPsec SAs built for SSLVPN virtual ip pool (it will be local subnet on SFOS1 and remote subnet on IPsec GW) vis-a-vis far ends' local subnets has no bearing on the idle time out of SSLVPN RA.

    SSLVPN RA user----------------SFOS1<-------s2s policy based IPsec tunnel------->IPsec GW-----local subnet-----

    Idle timeout is configured on SFOS1 that is acting as SSLVPN RA server (this also happens to be the IPSec gateway). Default value of idle timeout is 15 minutes in SSLVPN global settings and if idle time out is configured at Policy level it overrides the value configured in global settings. On lapse of idle-timeout, SSLVPN RA user (idle timeout is conveyed by SFOS to RA user during the RA tunnel bringup time) triggers tunnel disconnect with SFOS. RA client should re-establish RA connection to gain access to local subnet of far end IPsec gw. 

    When SSLVPN RA disconnects after idle time out, it can be verified if the RA user is present or not on SFOS's Current activities - Live users or Remote users.

    If there is no need to disconnect SSLVPN RA if RA clients seldomly need connectivity to far end IPsec GW LAN, idle time out  can disabled in SSLVPN global settings and if present in SSLVPN policy level and see if this problem of SSLVPN RA client unable to reach far end IPsec gateway's LAN gets addressed.

    It is always advised to give more information like - SFOS version, complete details about the SSLVPN (global settings, SSLVPN policy level settings), IPsec configs (IKEv1 or V2, policy based VPN or route based, policy details, routes if any, firewall rules etc.), this helps us to understand the configs.

  • Hey, just incase if anyone stumbles upon this post: I found the solution.

    In the general settings of the IPsec tunnel the "connection type" has to be switched to "Tunnel interface" instead of "site-to-site".