[NEBULA] VPN Connectivity Check

Kiattikorn
Kiattikorn Posts: 12  Freshman Member
First Anniversary First Comment
edited April 2021 in Nebula

Dear Nebula Team,

We have designed VPN solution as following.

 

HQ > USG Series (VPN Server Role)

LAN IP: 192.168.1.1/24

 

BR1 > NSG100 (VPN Client Role)

LAN IP: 192.168.2.1/24

 

BR2 > NSG100 (VPN Client Role)

LAN IP: 192.168.3.1/24

 

After setup VPN and all site tunnel has already connected. But the tunnel uptime can be count to 180sec after that VPN tunnel will be disconnect and reconnect again.

I have to check configuration on NSG by CLI the connectivity IP is not correct.

“conn-check 192.168.1.0 method icmp period 60 timeout 10 fail-tolerance 3 action log”

We don’t have IP 192.168.0.0 in destination network and parameter of fail-tolerance set to 3 time that mean why NSG can reach tunnel uptime 180 secs (60 x3) then always start to reconnect.


The question is.

1.       How to solved this?

2.       Can you add connectivity feature setting on NCC?

Thank you.

 

Comments

  • Zyxel_Irene
    Zyxel_Irene Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @kiattikorn

    Could you kindly provide the screenshot of Non-Nebula VPN peer page to check with? :)

  • Kiattikorn
    Kiattikorn Posts: 12  Freshman Member
    First Anniversary First Comment
    Here you are.

  • Zyxel_Irene
    Zyxel_Irene Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @kiattikorn

    This screenshot is USG setting, and may I have the screenshot from NCC, like the below pic. Then I can check your Private subnet. =)


  • Kiattikorn
    Kiattikorn Posts: 12  Freshman Member
    First Anniversary First Comment

  • Zyxel_Irene
    Zyxel_Irene Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @kiattikorn

    In our current design, users need to input a reachable IP address in the Private subnet field (e.g: if IP on peer side is 192.168.1.254/24, please set Private Subnet to 192.168.1.254/24.), this IP will be used for ping check by the device.
  • Zyxel_Irene
    Zyxel_Irene Posts: 118  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    Hi @kiattikorn
    I hope everything is good on your side! :)
    I would like to move your post to Nebula Security Gateway session to let more users can know how to configure when they have the same symptoms! ;)

  • Kiattikorn
    Kiattikorn Posts: 12  Freshman Member
    First Anniversary First Comment
    Hi Irene,

    Thank you for you prompt respond.

Nebula Tips & Tricks