I’ve a project with a custom mode VPC network, a CloudVPN (IKEv2 with static routes) in a EU region and a GKE cluster in AU region. Here the CloudVPN configuration:
My VPN endpoint OnPrem is a Cisco ASA 9.1 and Tunnel goes RUNNING for CloudVPN and for ASA the following SA is UP (I can't understand why only 10.128.0.0/255.128.0.0):
local ident (addr/mask/prot/port): (10.128.0.0/255.128.0.0/0/0)
remote ident (addr/mask/prot/port): (10.144.0.16/255.255.255.240/0/0)I’ve configured the kube-dns with an OnPrem DNS (reachable in VPN) but if I try to resolve an OnPrem service I’m not able.
I see the UDP packet exit from GKE node, I’ve the route to VPN GW and necessary FW rules and also I see the ASA log about ACL applied packet. But I don’t see the CloudVPN/ASA trying to pull on the relative SA and the packet to exit from ASA.
If I ping GKE instance from OnPrem DNS server the relative VPN SA goes UP and, after that, my containers are able to resolve OnPrem services!
I can’t understand this behaviour, someone knows how to solve this?