Anypoint VPN Maintenance
As part of the required regular maintenance, and to maintain good security hygiene, MuleSoft upgrades the infrastructure and configuration to power your VPN connectivity.
For any integrations or flows that require connectivity to your on-premises or other external platforms, VPN is key to this connectivity. Updating an Anypoint VPN that is not set up with at least a pair of tunnels using BGP routing experiences a downtime. See Anypoint VPN High Availability for more information.
To account for this, MuleSoft provides an update button that enables you to take this update during your own Maintenance Window.
The update button shows next to any Anypoint VPNs that has an update pending in the VPN lists page, and in the VPN detail page.
Click the Update button to update the underlying Anypoint VPN to the latest and most secure version. This action also restarts the Anypoint VPN tunnels associated with your VPN device.
Self-update your Anypoint VPNs before our automatic update to reduce the impact on your affected applications. See Anypoint VPN Updates Release Notes for a schedule of the automatic updates.
Mule applications that use Anypoint VPN connectivity are impacted during the maintenance period. However, the impact on the Anypoint VPN varies depending on the VPN configuration:
An Anypoint VPN with at least one pair of tunnels configured with BGP routing and DPD (Dead Peer Detection) to reset the tunnels when triggered incurs minimal downtime. The switchover takes a few seconds. See this article for an explanation of DPD and VPN.
An Anypoint VPN tunnel pair configured with Static routing incurs some downtime before reconnection. The reconnection takes longer if you do not have an automated failover mechanism to detect failed tunnels.
For an Anypoint VPN configured without BGP routing or a failover mechanism or with only one tunnel configured, the outage is up to 60 minutes long while the update occurs and the original tunnel comes back up.
These are some of the possible issues you may encounter during the update:
If the tunnels are not back up within 10-15 minutes after initiating an update, try restarting your end of the tunnels to bring them back up.
If your VPN is configured with static routing, try generating 'interesting' traffic towards the Anypoint VPN to bring up the VPN. See How to Generate Interesting Traffic for Anypoint VPN for more information.
If there is no traffic over the VPN tunnel, it goes down due to inactivity. Generate interesting traffic, or alternatively set Anypoint VPN to be the initiator. See How to Enable Initiator Mode and Change DPD Action in Anypoint VPN for more information.
To maintain a reliable tunnel operation after the upgrade, ensure that IKEv2 Phase 1 and Phase 2 lifetimes are set as described in the documentation:
IKE Phase 1 lifetime: 28000 seconds
IKE Phase 2 lifetime: 3000 second
Perform the upgrade of your non-production Anypoint VPNs first and ensure the tunnel is up, then plan for upgrading your Production Anypoint VPNs.
|AWS documentation states 28800 seconds for IKE Phase 1 lifetime, and 3600 seconds for IKE Phase 2 lifetime. MuleSoft recommends the 28000/3000 combination for your firewall device to timeout first and control the rekey process.|
If you are using Azure VPN, ensure that PFS is enabled and adjust lifetimes for Phase 2. For more information, see:
To prevent VPN update errors, update only one VPN at a time. Updating multiple VPNs at once can cause the call to fail, requiring you to manually reset the update flag.
Anypoint VPN enters into asymmetric model after an update if the AS paths for the two tunnels of the same VPN are different. See Anypoint VPN with BGP Routing Enters Asymmetric Mode after Upgrade for more information.
Ensure your DPD settings are correctly configured. See Seeing IPsec DPD Failures in VPN Logs for more information.
For other issues with Anypoint VPN not particularly related to the update itself, see the general troubleshooting documentation.