I am trying to create a Layer 2 PepVPN - something I have don 50-100 times before manually and am struggling.
Situation is a Balance One as a hub device and a Transit Duo as the remote. There was already a L3 VPN in place so I have added a subtunnel to that profile in IC2 and have gone to the Balance One and set that Subtunnel to be bridged to the local LAN segment in the typical way:
This is usually because you don’t have any empty “idle” speedfusion tunnels. All of your current ones have at least one Outbound Policy assigned to it.
Check the Transit’s outbound policy list and see if that SF sub tunnel is in any of the policies.
I feel like it’s a bug and I’ve hit the same wall before.
I haven’t taken the time when it’s happened to pick it a part to see what the issue is.
in addition to what Paul said.
I think, not positive that if you are attaching the L2 network untagged to a pepvpn with tunnels it doesn’t work.
You can only attach a vlan tagged network to a profile with multiple tunnels.
Try to remove extra tunnels and then try to connect it.
or try to create another network, with a vlan and then use access mode to the port to get access to the same L2, and connect an additional cable.
Yes, it doesn’t seem to be obvious… I just removed all of my Outbound policy rules, and it wouldn’t free up either of the 2 tunnels.
I added another SF tunnel and it was available. There is something that wants a new “clean” connection, so I delete the original SF tunnel and recreated it… then it was available for layer2.
So, either something is selected to need that SF tunnel… but we don’t know what, or it is a latent bug, but deleting the tunnel and re-creating seems to fix it.
And I didn’t read the name on the right at first… Martin, I think you told me how to get a clean tunnel for L2 in the first place… but I can replicate this issue, and if you want I can send in a ticket for my transit.
No, I don’t use that option for my SF rules… OSPF routing only and Priority or enforced individual rules to tunnel #2 only… So technically tunnel #1 should be available for L2.
I’m going to guess config rot… I used to have rules pointing to both tunnels… but I have moved all of them to tunnel #2. and to be sure I just I deleted them all… but something was still keeping those tunnels off the L2 list. delete the whole SF tunnel, then the cleanup code clears the rot.
I agree that is normally true. I killed all outbound policies with VPNs involved. Now I can see the other PepVPN that is configured (that goes to a Fusionhub) but neither the primary or subtunnel of the VPN profile that does from Transit to Balance One.
So annoying. which they were listed and greyed out with a reason instead of just missing from the drop down.
Logged a ticket #22020673@TK_Liew any chance you could take a look and work out what kind of idiot I’m being
@MartinLangmaid, I replied to you on the ticket. I think it is good to share the finding here also. Basically, you allow selecting sub-tunnel to bridge to a tagged VLAN only when you are running layer 2 and layer 3 SpeedFusion concurrently in a same SpeedFusion profile. This is the reason you can’t see the SpeedFusion profile with sub-tunnel from the Untagged LAN. If you add a tagged VLAN, you should be able to see the SpeedFusion profile with sub-tunnel.
So with a layer 3 VPN in place between the untagged networks, what I was trying to do was add a layer 2 VPN that would bridge a new VLAN at one end with the existing untagged network at the other end (that already had a layer 3 VPN attached). This isn’t possible (I think it causes a rip in the fabric of time and space when you try).
So what I have done is rip out the layer 3 VPN, replace it with a layer 2 and then built a new layer 3 VPN via a Fusionhub between a new VLAN on the balance one, This lets me maintain both L3 routing between the balance one (from a new vlan) and the transit (via a hub) whilst also bridging the two untagged networks over layer 2.
But. I still maintain that showing the VPN profiles in the drop down as disabled / greyed out with a reason why would have helped.
Hello @MartinLangmaid,
Interesting discovery. As someone who uses InControl2 extensively, it would be interesting to see how this plays out for profiles created via InContol2. We realise there are some features still getting refined for SpeedFusion in InControl2 so this may be why I’d not seen this issue yet.
Happy to Help,
Marcus
