Multiple S2S VPNs with AWS can't established after internet break
All Replies
-
Hi @Zyxel_Can
Not working... We had a power breakdown yesterday, and after that some tunnels were stabilized for a while, and after a few seconds the connectivity check decided that the tunnels is dead, and had begans negotiation again.
I have 3 redundant tunnels (in sum 6) to AWS and about 20 users in a remote office (L2TP over IPSec). What I noticed... When I don't have remote users and I simulate internet/power breakdown all tunnels will establish really quickly, but when I have remote users and after internet/power breakdown they try to connect to the office, the S2S tunnels can't establish. When some of them are established after a few seconds connectivity check decides that the previously stabilized tunnel is dead again.
Yesterday I changed connective check settings from:
icmp period 5 timeout 3 fail-tolerance 2
To
icmp period 7 timeout 5 fail-tolerance 5
Now I am waiting for next internet/power breakdown during the working hours0 -
Hi @Zyxel_CanI can't provide you access to my router.DPD timeout action is set to: clear (default)I will send you Thursday logs by pm.0
-
Hi @Wojtas,
Thank you for your feedback.
Please change your AWS’s DPD timeout action as “Restart”.
Here are the actions for DPD timeout in AWS settings as you mentioned before:
DPD timeout action:
<u>Clear</u>: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)
<u>None</u>: Take no action when DPD timeout occurs
<u>Restart</u>: Restart the IKE session when DPD timeout occurs
Also, please provide me the AWS and USG devices' VPN logs when this symptom happens.0 -
OK, I will change it.0
-
Hi @Zyxel_CanLast Thursday I had the issue again. When AWS side had been set to restart, the tunnels hadn't can stabilize. I had changed them back to Clear and after that, they had stabilizate.I don't know, where is the problem. In this week I will upgrade my USG to the latestes version, released in the end of May.0
-
Hi @Wojtas,
Thank you for your feedback.
You can obtain the latest forum release firmware the following link and observe if everything going well:
https://community.zyxel.com/en/discussion/10639/zld-v4-62-wk14-firmware-release#latest
0 -
Hi @Zyxel_Can
After upgrading to V4.63(AAPI.0) nothing changed, but I have found something interesting. I wanted to test the IKEv2 VPN for remote users of L2TP/IPSec. I had configured everything regarding to the instruction:After that I connected my laptop with Windows 10 to shared WiFi from my mobile phone, and I connected to USG with IKEv2 protocol (Negotiation was really quick, but connection by tunnel was slower then connection by L2TP, in my opinion).Next I installed strongSwan application on my mobile phone, configured the connection with IKEv2, and when I clicked "connect", all VPN tunnels between USG and AWS went down. Tell me why?!?Here is what i found:
Public IP of my mobile was: 5.173.121.215
Here is screen with VPN Gateways configurations:
and here is a screen from the log file:
Why does my mobile phone disconnected GW of another tunnel?0 -
Hi @Wojtas,
Thank you for your feedback.
In order to figure out the problem, please provide the following information to me by private message:
Can you provide me your VPN topology with subnets and IP addresses on it? (AWS Tunnels, USG210's IP addresses and USG110's IP addresses)
Please also include your Windows PC and Android phone's IP addresses as well as the L2TP connection to the USG device in your topology drawing.
0 -
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight