Anypoint VPN Maintenance
Anypoint VPN Update
MuleSoft Anypoint VPN is a managed service that is underpinned by AWS Site-to-Site VPN connections. Using a VPN is important for any integrations or flows that require connectivity to your on-premises or external platforms. Updating an Anypoint VPN that is not set up with at least a pair of tunnels that use BGP routing will cause downtime. See Anypoint VPN High Availability for more information.
After the October 2022 quarterly maintenance window, Anypoint VPN will no longer support quarterly customer self-upgrades. From this point forward, updates made to Anypoint VPN will adhere to AWS’s standard continuous upgrade process. Upgrades will be applied on-demand, with no published maintenance window schedule, no customer opt-in self-upgrade capabilities, with potential (limited) downtime for customers that do not have a High Availability (HA) VPN implementation.
Deploy a high-availability VPN solution to avoid any downtime associated with these AWS-delivered security updates. Review the following sections for recommendations and troubleshooting information.
Avoiding or Reducing Downtime During an On-demand Maintenance
Mule applications that use Anypoint VPN connectivity are impacted during an on-demand maintenance. The impact on the Anypoint VPN varies depending on the VPN configuration:
-
An Anypoint VPN with at least one pair of tunnels configured with BGP routing and DPD (Dead Peer Detection) to reset the tunnels when triggered incurs minimal downtime. The switchover takes a few seconds. See DPD (Dead Peer Detection) and Anypoint VPN (Virtual Private Networking) for an explanation of DPD and VPN.
-
An Anypoint VPN tunnel pair configured with static routing incurs some downtime before reconnection. The reconnection takes longer if you do not have an automated failover mechanism to detect failed tunnels.
-
For an Anypoint VPN configured without BGP routing or a failover mechanism or with only one tunnel configured, the outage is up to 60 minutes long while the update occurs and the original tunnel comes back up.
Troubleshoot Issues During an Anypoint VPN On-demand Maintenance
These are some of the possible issues you may encounter during an on-demand maintenance:
Tunnels Don’t Come Up
If the tunnels are not back up within 10-15 minutes at any point in time, try restarting your end of the tunnels to bring them back up.
If your VPN is configured with static routing, try generating "interesting traffic" (traffic that should be encrypted over the Anypoint VPN connection) towards the Anypoint VPN to bring up the VPN. See How to Generate Interesting Traffic for Anypoint VPN for more information.
Tunnel Goes Down Due to Inactivity
If there is no traffic over the VPN tunnel, the VPN goes down due to inactivity. In this case, generate interesting traffic. We recommend that you move towards BGP.
IKE Phase Lifetimes Mismatch
If You Use IKEv2:
To maintain a reliable tunnel operation after an on-demand maintenance, ensure that the IKEv2 Phase 1 and Phase 2 lifetimes are set as described in IPsec Settings:
-
IKE Phase 1 lifetime: 28000 seconds
-
IKE Phase 2 lifetime: 3000 second
| AWS documentation states 28800 seconds for the IKE Phase 1 lifetime, and 3600 seconds for the IKE Phase 2 lifetime. MuleSoft recommends the 28000/3000 combination for your firewall device to timeout first and control the rekey process. |
Anypoint VPN Goes Down Periodically Due to PFS not Enabled for IPsec Phase 2
If you use Azure VPN, ensure that PFS is enabled and adjust the lifetimes for Phase 2. For more information, see:
Anypoint VPN with BGP Routing Enters into Asymmetric Mode after an Update
Anypoint VPN enters into asymmetric mode after an on-demand maintenance if the AS paths for the two tunnels of the same VPN are different. See Anypoint VPN with BGP Routing Enters Asymmetric Mode after Upgrade for more information.
Seeing IPsec DPD Failures in VPN Logs
Ensure that your DPD settings are correctly configured. See Seeing IPsec DPD Failures in VPN Logs for more information.
Other issues
For other issues with Anypoint VPN, see Troubleshoot Anypoint VPN.