Cannot Add Subnet to Address Group
I have configured a partially redundant IPsec VPN with two local links going to a single link, static IP server.
The two links are seen as dial-up on the remote FG.
I used the wizard to do all configs.
SDWAN is used to team the two WAN links.
I added via the CLI an interface monitor for the primary VPN tunnel so failover can happen.
Everything works as expected except for... on the dial-up side the wizard creates a remote address group for VPN subnets.
Try as I might, I cannot add another subnet as an address object into said group. The newly created address object is not shown in available addresses.
On the remote end I can add a subnet into the local address group for the VPN. Why does it work this side? Because it's the server and not dial-up or possibly the interface monitor has got something to do with it?
The only way for this to work on the dial-up side was to delete the config and use the wizard again and add all required subnets at config time so the group is created accordingly.
This doesn't help as I need to add and remove subnets as required.
The workaround in the meantime was to create another phase 2 SA with the required subnets which I don't want to do each time.
I'm stumped, lost an entire day trying to work this out.
Please can someone help me out of this mess?
I'm not sure what configs and how much to post will be happy to do so when instructed.