1-1 NAT randomly stops working (Cloudflare BOVPN)
I was tasked with setting up 2 virtual interfaces that connect to Cloudflare's VPN for a financial institution. I got the configuration from Cloudflare, and got the tunnels up and running. I created 1:1 NAT rules that function in the tunnel and all of that works great. I can ping the web server across the tunnel and RDP to it no problem. The second interface is only for redundancy, and in that Virtual Interface configuration the route has a metric of 2.
The strange thing is, some hosts can't load the HTTPS web portal for that same server. You can ping, RDP, even connect over HTTP, but HTTPS will not function for half the internal hosts. After banging my head against the wall, I learned that if I change or update the 1:1 NAT rule, every host will be able to access the site..... for a while. After a few hours, the problem hosts become problems again, and will not resolve the site on a browser (though again ping and RDP still work fine).
Does anyone have any idea why I would see this behavior? I never see denied packets in the firewall. Thank you for any insight, I'm going crazy.
Comments
Try changing the Global setting, Networking section, TCP MTU Probing from Disabled to "Always enabled", and see if that helps.
Define Firebox Global Settings
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html
Also, try this:
On the external interface, in the Advanced section, change the Don't Fragment (DF) bit Setting for IPSec from Copy to Clear
Thank you for the advice! Changes are made. I'll monitor it through the weekend and see if it improves. For my own growth, if you have the time, could you explain why those changes might improve the connection?
This is a change to help with MTU issues related to packets going via a BOVPN.
Since we don't know the real reason for what you see, this is just to try to eliminate one possible cause.
In the past, WG support has suggested these changes when there were problems with HTTPS sites which were being accessed via a BOVPN.
From the docs:
TCP MTU Probing
When you enable this global option, the Firebox can automatically change the size of its data packets to make sure that PMTU discovery succeeds and to avoid reduced performance caused by fragmentation.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/global_setting_define_c.html
Set the DF Bit for IPSec
The Don't Fragment (DF) bit is a flag in the header of a packet. You can select Copy, Set, or Clear to control whether the Firebox uses the original DF bit setting in the packet header.
Clear
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/df_bit_set_c.html
And, if you haven't done so already, consider opening a support case if the above changes don't help.
Will do. Thank you for the time and support. Greatly appreciated.