Issues with BOVPN on M300 after upgrade to 12.5.x

Tyler_Fannon

After upgrading the firebox (this is the second one I've tested on now) to 12.5 or later, the BOVPN Any policy seems to get screwed up in the process. Can see traffic going over the tunnel in traffic monitor, but nothing is working (except ICMP). Adding a Test Any-BOVPN to ANY policy above these policies fixes the issue. Has any one else seen this?

james.carson

Hi @Tyler_Fannon

-Please make sure that you don't have the "use policy based routing" or "use SD WAN based routing" checkbox checked in your policy. Depending on what version you came from, that might have been improperly checked before.

If it's still not working, I'd suggest opening a case with support (you can use the link at the top right of this page) and they can help by looking at your logs.

Thank you,

Tyler_Fannon

Ah ha! I think that may be it. Both M300's did have PBR enabled prior to upgrade to 12.5 - great find!

james.carson

Hi @Tyler_Fannon

In the future, make sure you're only using PBR or SD-WAN on outbound policies. It's invalid to use it on inboud and BOVPN policies.

When PBR was used, that checkbox was just ignored, but since SD-WAN has been added, it's possible to use some features of that on VPNS and other policies where PBR would not apply. The firewall has no way of knowing that you may have incorrectly marked this, so it simply copies the setting.

Since you had this set in at least two different firewalls, I would suggest that you take a look at the policies on your other firewalls to ensure PBR is only set on OUTBOUND policies. If the policy is inbound or a VPN policy, that checkbox should be cleared. Newer versions of fireware will actually prevent you from checking it on new VPN policies.

Thank you.