Multiple S2S VPNs with AWS can't established after internet break
Hi,
I have a strange issue with USG110 and USG210. I have two locations, one with 210 and one with 110, each of them has 6 S2S VPN connections to AWS (IKE2, AES256 and DH18 in both phases), everything works fine till we get some troubles with internet connection. If internet connection will break for a while the tunnels can't establish again. I have to login to USG, deactivate all VTI, and activate them one by one. (SA Lifetimes are default, and the same for all tunnels).
What can I do to solve the issue? Why can't tunnels be established by itself?
I have a strange issue with USG110 and USG210. I have two locations, one with 210 and one with 110, each of them has 6 S2S VPN connections to AWS (IKE2, AES256 and DH18 in both phases), everything works fine till we get some troubles with internet connection. If internet connection will break for a while the tunnels can't establish again. I have to login to USG, deactivate all VTI, and activate them one by one. (SA Lifetimes are default, and the same for all tunnels).
What can I do to solve the issue? Why can't tunnels be established by itself?
0
All Replies
-
What the logs on your USGs are saying?Did you enabled DPD detection on both sides (AWS and USGs)?Is any of your tunnel checking connectivity?Which side is "calling" and which one is "waiting"?0
-
I don't see a DPD option for IKEv2 in Zyxel (only for IKEv1).
All tunnels have connectivity checks enabled.
After internet break AWS is initiator, in logs I found:Just now I disabled IKEv1 and all weaker encryption algorithms to reduce negotiation time in AWS.
Recv Main Mode request from [<AWS IP>]
Do you think that it could been the reason (AWS sent a Main Mode request (IKEv1), but USG had configured IKEv2 only)?
0 -
It hard to say, I am waiting for next internet break down but for now it looking promissly0
-
The problem occurs again just now. I found in logs that DPD is closing the connection even when tunnels are established for a while.
I need to use IKEv2 for S2S vpn but in USG devices there are no possibilities to configure DPD behavior and timeouts. I found that the default timeout for USG is 15 seconds and default behavior is clear (shuts down the IKE SA).
But I can configure DPD in AWS, and options are:
Dead peer detection (DPD) timeout: The duration, in seconds, after which DPD timeout occurs. You can specify 30 or higher. Default: 30
DPD timeout action:<u>Clear</u>
: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)<u>None</u>
: Take no action when DPD timeout occurs<u>Restart</u>
: Restart the IKE session when DPD timeout occursDefault:
Startup action: The action to take when establishing the tunnel for a VPN connection. You can specify the following:<u>Clear</u><br>
<br><u>Start</u>
: AWS initiates the IKE negotiation to bring the tunnel up. Only supported if your customer gateway is configured with an IP address.<u>Add</u>
: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.Default:
<u>Add</u>
<u><br></u>
Maybe I should chnage DPD Timeout action to restart, what do you thhing? I don't understend why USG get PEER is dead?!?
0 -
I'd suggest you to use restart, if you're willing to try.
0 -
I already changed it, and now I am waiting for maintenance windows to simulate internet break.0
-
Hi @Zyxel_Can
Really sorry for the late answer. I checked and I had connectivity echeck enabled, but the Nailed-Up option was disabled. I enabled it just now..0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight