Multiple S2S VPNs with AWS can't established after internet break

Wojtas

Hi, 

I have a strange issue with USG110 and USG210. I have two locations, one with 210 and one with 110, each of them has 6 S2S VPN connections to AWS (IKE2, AES256 and DH18 in both phases), everything works fine till we get some troubles with internet connection. If internet connection will break for a while the tunnels can't establish again. I have to login to USG, deactivate all VTI, and activate them one by one. (SA Lifetimes are default, and the same for all tunnels).

What can I do to solve the issue? Why can't tunnels be established by itself?

mMontana

What the logs on your USGs are saying?

Did you enabled DPD detection on both sides (AWS and USGs)?

Is any of your tunnel checking connectivity?

Which side is "calling" and which one is "waiting"?

Wojtas

I don't see a DPD option for IKEv2 in Zyxel (only for IKEv1).
All tunnels have connectivity checks enabled.
After internet break AWS is initiator, in logs I found:

 Recv Main Mode request from [<AWS IP>]

Just now I disabled IKEv1 and all weaker encryption algorithms to reduce negotiation time in AWS.

Do you think that it could been the reason (AWS sent a Main Mode request (IKEv1), but USG had configured IKEv2 only)?

Zyxel_Can

Hi @Wojtas,

After configuring IKEv2 for AWS VPN, does that symptom still exist?

Looks like after connection break AWS VPN wants to initiate using IKEv1 mode.

 

Best regards.

Wojtas

It hard to say, I am waiting for next internet break down but for now it looking promissly

Wojtas

The problem occurs again just now. I found in logs that DPD is closing the connection even when tunnels are established for a while. 

I need to use IKEv2 for S2S vpn but in USG devices there are no possibilities to configure DPD behavior and timeouts. I found that the default timeout for USG is 15 seconds and default behavior is clear (shuts down the IKE SA).

But I can configure DPD in AWS, and options are:

Dead peer detection (DPD) timeout: The duration, in seconds, after which DPD timeout occurs. You can specify 30 or higher. Default: 30

DPD timeout action:

<u>Clear</u>: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)
<u>None</u>: Take no action when DPD timeout occurs
<u>Restart</u>: Restart the IKE session when DPD timeout occurs

Default: <u>Clear</u><br>

Startup action: The action to take when establishing the tunnel for a VPN connection. You can specify the following:
<br><u>Start</u>: AWS initiates the IKE negotiation to bring the tunnel up. Only supported if your customer gateway is configured with an IP address.
<u>Add</u>: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.

Default: <u>Add</u>

<u><br></u>

Maybe I should chnage DPD Timeout action to restart, what do you thhing? I don't understend why USG get PEER is dead?!?

mMontana

I'd suggest you to use restart, if you're willing to try.

Wojtas

I already changed it, and now I am waiting for maintenance windows to simulate internet break.

Zyxel_Can

Hi @Wojtas,

In our labs we tested that behavior, it automatically connects.

Can you make sure that you have checked Nailed-Up and Enable Connectivity Check checkboxes for your VPN connection?
Configuration > VPN > IPSec VPN > VPN Connection

Wojtas

Hi @Zyxel_Can

Really sorry for the late answer. I checked and I had connectivity echeck enabled, but the Nailed-Up option was disabled. I enabled it just now..

Zyxel_Can

Hi @Wojtas,

Does it work now?
Can tunnels establish again after enabling Nailed-Up?