Operational Defect Database
BugZero found this defect 1664 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA10H000000g3qzSAA
Branch Office VPN to third-party endpoints fail after FireCluster failover
Last update date:
11/30/2022
Affected products:
Firebox M200
Firebox M300
Firebox M270
Firebox M370
Firebox M470
Firebox M570
Firebox M670
Firebox M290
Firebox M390
Firebox M400
Firebox M500
Firebox M440
Affected releases:
All
Fireware
12.x
12.0.x
12.1.x
12.1
12.1.1
12.1.3
12.10.x
12.2.x
12.3.x
12.4.x
Fixed releases:
All
Description:
Issue
Configured WatchGuard FireCluster devices that terminate a VPN tunnel to a third-party appliance might encounter tunnel failure after a FireCluster failover event. Tunnel failure occurs on failover if the third-party endpoint does not accept gateway rekeys, and has been reported with Azure and Zscaler appliances. The current FireCluster VPN sync between members only does so for the established Phase 2 portion of a negotiated VPN tunnel. This design makes sure that VPN tunnels between two WatchGuard endpoints continue to work upon FireCluster failover events.
Workaround/Solution
For Azure VPN configuration instances, use Firebox Cloud as a termination point. Initiate Phase 1 & 2 VPN rekey from the current cluster member to restart the VPN negotiation to the third-party VPN endpoint.
