Speedfusion VPN stuck in Updating Routes

Hello,

We recently built a SpeedFusion VPN topology to connect remote branches to FusionHubs to provide Internet access with public static IPs on the Peplink LAN via pure Layer 3 tunnels. The setup uses:

2 x FusionHubs for redundancy Internet Access.
1 x FusionHub for secure remote management access only via private IP space.
All FusionHubs are configured in IP forwarding mode

The entire topology setup is just working fine. Very quick failover and reliable.

But however during simulated failover tests we noticed some tunnels at the remote branch side only to change status from Established to Updating Routes while on FusionHub side all tunnels are always in Established. Despite this, traffic continues to work normally after the failover and no routing conflicts are observed. In the logs there is no any information that can point us for a possible issue. Once reboot the router all tunnels are in Established state again.

In our LAB topology each branch is connected via two WAN interfaces: 1 x Broadband Internet and 1 x Starlink. Config is very basic, no special settings. I’m attaching screenshots when the remote branch device is freshly rebooted where all Speedfusion VPN Hubs are established. And 1 x screenshot where simulate WAN failover (two HUBs are stuck in Updating Routes). Also providing the Speedfusion VPN config.

I will be very happy and highly appreciate if someone can help us to find what might cause this issue. If it is just a cosmetic bug in WEB GUI or a real issue but in both of the cases we need assistance to find the issue caused it.

Peplink_SpeedfusionVPN_Updating_Routes_After_Reboot_All_fine1244×892 79 KB

Peplink_SpeedfusionVPN_Updating_Routes_After_Reboot_Stuck1080×899 70.1 KB

Speedfusion_VPN_config1559×1049 187 KB

Speedfusion_VPN_details962×1219 279 KB

Speedfusion_VPN_OSPF_config1375×989 129 KB

Peplink_Remote_Branch_B-ONE-C_Status1363×770 180 KB

When you say that traffic is still flowing, you mean over the hubs in the stuck state?

If traffic is flowing then I expect it could just be a GUI bug and I would open a support ticket - as you have probably noticed the logging and debugging output is a bit limited for this kind of thing, but support can probably see a bit more info.

You included the config for the VPN profile on the Balance side, it might be interesting to see the config from the other way around from each of the hubs.

The only setting you have enabled where I’ve sometimes seen odd behaviour is the “VPN route isolation”.

Is that applied consistently across all the hubs and tunnel profiles?

By default PepVPN likes to propagate routing info to all peers, which that setting influences, I’d double check whether there are any discrepencies or network advertisements that you don’t expect being made (I see you have redistribution off on the Balance, is that the same on all of the hubs?).

I’d also just add some caution to that setting, it is more of a route filter or route map than an actual isolation button - I would recommend always applying appropriate firewall rules on the hubs and endpoints to make sure that things really are isolated or only accessible from where you would want them to be.