OutSystems VPN service is fully automated and orchestrated, with a defined set of possible configurations.
After the VPN connection on your OutSystems Cloud is created, you receive a communication with the following relevant information:
- Identification of your new VPN Peer IP Address;
- OutSystems Cloud PaaS Range;
- Information regarding the required configuration of your internal DNS servers;
- A configuration file containing all the required information to configure the VPN on your Gateway.
After completing the initial configuration steps, should you experience any instability with your VPN or if its not working as expected, you should need to perform some troubleshooting. This article aims to assist you in that process.
Establishing a stable connection
To establish a stable VPN connection with OutSystems Cloud PaaS you need to take the following into account:
Front-ends and databases block ICMP requests. For security reasons this configuration can't change. Please don’t attempt to ping them directly, ping the DNS servers instead.
ICMP requests to your OutSystems Cloud internal DNS servers are enabled. You can use these IP addresses for keep-alive purposes or to resolve the DNS UDP requests, as explained in the Conditional Forwarder section of the VPN communication.
The full network range of your OutSystems Cloud PaaS must be whitelisted on your firewall to allow inbound traffic to your network.
OutSystems Cloud VPN is a “listener type” VPN, this means that it's available to listen to incoming traffic from your on-premises network and it won’t initiate traffic.
When VPN traffic isn't detected through the tunnel, a mechanism called DPD (Dead Peer Detection) automatically shuts down the tunnels after a specific timeout (currently 3600 seconds). Configuring a keep-alive mechanism prevents the VPN tunnel from getting closed (for example, performing regular pings to the DNS servers).
OutSystems VPN can only support a single pair of (inbound/outbound) SA (Security-Association).
To avoid asymmetric routing issues, please ensure that both the provided tunnels have different priorities (that is: one as primary and the other as failover). Having both tunnels with established connections at the same time may cause routing issues.
Should you experience any difficulty in connecting from OutSystems Platform to your internal network, please revise your firewall rules or routing configuration. OutSystems Cloud allows all outbound traffic.
Traffic reaches the internal interfaces of the OutSystems Cloud Infrastructure only if its origin is included in one of the routes configured in our Virtual Private Gateway, all other origins reach the OutSystems Platform on the public interfaces.
Naming resolution (DNS resolution)
To allow resolving internal DNS addresses from the OutSystems PaaS VPN, DNS servers are deployed upon creating the VPN to OutSystems PaaS. Their IP addresses are communicated to you on the support case where the VPN is established.
To ensure you can resolve your the internal DNS addresses present on your side of the network, the DNS server OutSystems provides must be configured as conditional forwarders on your own internal DNS servers.
The conditional forwarder configuration you'll need to execute would then be:
- DNS Servers: As detailed in the initial VPN configuration
- Protocol / Port : UDP 53
- Domain to be resolved: outsystemsenterprise.com
Other troubleshooting topics
If after all the required configurations have been made, there are still some instability issues with the VPN tunnels, please revise the following list of uncommon configurations that may cause issues. These are mostly related to minor misconfigurations or small adjustments:
If more than one SA - Security Associations is being announced the VPN connection won't be stable. Each time a new SA is announced an IPsec ph2 re-negotiation occurs. When this happens the old key is dropped. While this happens the tunnel will drop.
If the DPD option is disabled on your gateway device, AWS won't be able to get replies to the DPD commands. Therefore you will need to activate the DPD mechanism on your VPN Gateway to allow the stability of the tunnels.
The recommended LifeTime for IPsec Ph2 is 3600 seconds, if your device doesn't allow you to configure seconds, please use 59 minutes as the configuration, this will avoid any issues with the LifeTime key re-negotiation.
Why can’t I ping the front-end servers or databases?
The security rules only allow ICMP requests (that is: ping) to the DNS servers. All other servers inside the OutSystems Cloud PaaS won't reply to your ICMP requests.
How can I test connectivity?
You can test your connectivity to the OutSystems Cloud in several ways. The first one is to guarantee that ICMP commands to the DNS servers are being resolved.
The other way to test direct connectivity to the environment internal IP is by performing a Telnet command. Telnet is a protocol that allows you to connect to remote computers (called hosts) over a TCP/IP network.
How can I know that I am using the VPN?
You can validate if you are reaching the OutSystems Cloud infrastructure by resolving the hostnames via Nslookup. Using NSlookup will allow you to look at DNS records, question the domain nameserver, and find more information regarding the domain DNS.
How can I get the private IP address of the front-end servers?
You can check our documentation on how to obtain that information.
Why can't I ping the DNS servers?
As soon as the VPN is created, the two DNS servers will become available to be queried for DNS and ICMP requests.
However, ensure that the servers are reachable from your internal network, either in terms of Firewall and/or Routing requirements (according to the rules provided by you on the initial VPN setup). Your network team should be able to help you with this topic.
Why can't I connect to my environments using the hostnames?
If you can’t resolve the hostnames of your environments or databases, your internal DNS configuration isn't working properly.
It's necessary to configure your internal DNS servers as detailed on the communication you received (that is: use OutSystems internal DNS servers as conditional forwarders of the “outsystemsenterprise.com” domain). Your network team should be able to help you with this requirement.
Why is my VPN unstable?
If your VPN is unstable a few things may be happening.
- Your VPN gateway device is announcing multiple SA (Security Association);
- Your IPSec Ph2 LifeTime isn't being able to re-negotiate on time;
- The DPD mechanism is shutting down the tunnel because no VPN traffic is generated and there is no other mechanism to keep the tunnel alive (for example: regular ping).
Your network team should be able to help you with this issue.
Why do I need to allow the full Internal IP address range of my OutSystems Cloud on my firewall?
The private IPs of your Cloud infrastructure aren't static and can change over time.
To guarantee that connectivity isn't an issue in the future, our recommendation is to whitelist the full range. This ensures that your firewall allows any IP assigned to your assets.
Why can’t I connect to an external database from my OutSystems environments?
By default, OutSystems Cloud PaaS allows all outbound traffic.
If you can’t connect to an on-premises database (inside your VPN), you need to check with your network team your firewall and validate if the inbound rules are allowing the full internal IP range of your OutSystems Virtual Private Cloud.
Still not working? :If the issue persists, contact OutSystems Support.
If you create a support ticket make sure to include the current VPN configuration and any related error messages. A support engineer will help you troubleshoot your configuration, and if necessary schedule a conference call.