Multiple S2S VPNs with AWS can't established after internet break

24

All Replies

  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Can

    Not working... We had a power breakdown yesterday, and after that some tunnels were stabilized for a while, and after a few seconds the connectivity check decided that the tunnels is dead, and had begans negotiation again.

    I have 3 redundant tunnels (in sum 6) to AWS and about 20 users in a remote office (L2TP over IPSec). What I noticed... When I don't have remote users and I simulate internet/power breakdown all tunnels will establish really quickly, but when I have remote users and after internet/power breakdown they try to connect to the office, the S2S tunnels can't establish. When some of them are established after a few seconds connectivity check decides that the previously stabilized tunnel is dead again. 

    Yesterday I changed connective check settings from:

    icmp period 5 timeout 3 fail-tolerance 2

    To

    icmp period 7 timeout 5 fail-tolerance 5


    Now I am waiting for next internet/power breakdown during the working hours
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @Wojtas,

     

    Can you provide me remote admin access by private message?

     

    Also, what did you choose for AWS settings for “DPD timeout action”?

     

    Can you provide me VPN related logs for AWS and your USG210 and USG110 by private message?
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Can

    I can't provide you access to my router.
    DPD timeout action is set to: clear (default)
    I will send you Thursday logs by pm.
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @Wojtas,


    Thank you for your feedback.

    Please change your AWS’s DPD timeout action as “Restart”.

     

    Here are the actions for DPD timeout in AWS settings as you mentioned before:

     

    DPD timeout action:

    <u>Clear</u>: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)

    <u>None</u>: Take no action when DPD timeout occurs

    <u>Restart</u>: Restart the IKE session when DPD timeout occurs

     

    Since you have selected Clear it will stop the tunnel and will clear the routes. So please choose “Restart” for DPD timeout action.

    Also, please provide me the AWS and USG devices' VPN logs when this symptom happens.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Comment Friend Collector First Anniversary
    OK, I will change it.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Can

    Last Thursday I had the issue again. When AWS side had been set to restart, the tunnels hadn't can stabilize. I had changed them back to Clear and after that, they had stabilizate.

    I don't know, where is the problem. In this week I will upgrade my USG to the latestes version, released in the end of May.
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @Wojtas,

     

    Thank you for your feedback.

    You can obtain the latest forum release firmware the following link and observe if everything going well:

     

    https://community.zyxel.com/en/discussion/10639/zld-v4-62-wk14-firmware-release#latest


  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Comment Friend Collector First Anniversary
    Hi @Zyxel_Can


    After upgrading to V4.63(AAPI.0) nothing changed, but I have found something interesting. I wanted to test the IKEv2 VPN for remote users of L2TP/IPSec. I had configured everything regarding to the instruction:

    After that I connected my laptop with Windows 10 to shared WiFi from my mobile phone, and I connected to USG with IKEv2 protocol (Negotiation was really quick, but connection by tunnel was slower then connection by L2TP, in my opinion).

    Next I installed strongSwan application on my mobile phone, configured the connection with IKEv2, and when I clicked "connect", all VPN tunnels between USG and AWS went down. Tell me why?!?

    Here is what i found:

    Public IP of my mobile was: 5.173.121.215

    Here is screen with VPN Gateways configurations:



    and here is a screen from the log file:



    Why does my mobile phone disconnected GW of another tunnel?
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    25 Answers First Comment Friend Collector

    Hi @Wojtas,

     

    Thank you for your feedback.

    In order to figure out the problem, please provide the following information to me by private message:

     

    Can you provide me your VPN topology with subnets and IP addresses on it? (AWS Tunnels, USG210's IP addresses and USG110's IP addresses)

     

    Please also include your Windows PC and Android phone's IP addresses as well as the L2TP connection to the USG device in your topology drawing.

     

    Please also provide me USG210's log output(the USG device that Windows client connected to via L2TP VPN)
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Comment Friend Collector First Anniversary
    @Zyxel_Can

    I send you the message. 

Security Highlight