Troubleshooting VPN Connectivity to a High Availability Secondary Node

If there is a VPN connection to a High Availability cluster (site-to-site or remote access/mobile), often remote devices can communicate with the active node but the backup node is unreachable.

The reason for this is that the VPN is configured and active on both firewalls. The packet from the client goes to the primary over the VPN tunnel that is up and connected, then goes from the primary to the secondary, and the secondary attempts to send it back over its own copy of the VPN which is down because it is the backup. The response never makes it back to the original client.

To address this situation, configure Hybrid or Manual outbound NAT and add rules such that the firewall performs NAT on the traffic from the VPN subnet going to IP addresses on the secondary node, and vice versa. that way these connections appear to originate from the opposing firewall and not the VPN, so the traffic returns as expected. Hybrid or Manual Outbound NAT is likely already enabled set since it is typically a requirement for HA using CARP VIPs.

For example, set the mode to Hybrid Outbound NAT and add an outbound NAT rule on the LAN interface. Configure the rule with the source being the VPN subnet, destination being an alias containing both the primary and secondary node LAN IP addresses. Translation would be Interface Address (NOT the CARP VIP!).

With the NAT rule present, when attempting to access the opposing node over the VPN the traffic will appear to originate from the node to which the VPN is currently connected and the return traffic will go back as expected.