USG110 - How to set up an automatic IPSec tunnel reconnection?

USG_User
USG_User Posts: 374  Master Member
5 Answers First Comment Friend Collector Sixth Anniversary
edited May 2022 in Security
Unfortunately it seems that threads, which are marked with "accepted answer" will not longer be noticed by Zyxel support. But anyway, then I start this new thread:

We still have the problem that a S2S IPSec tunnel keeps disconnected after the connectivity check failed and the tunnel has been switched-off. (BTW, the connectivity check is using an IP inside the opposite LAN, but not the opposite tunnel terminator interface, since this is not reacting to ping packets). It doesn't try to re-connect automatically.
But in a business environment where two branch offices have to be stay connected, we expect that s2s tunnels will be automatically reconnected, as soon as the connectivity check succeeds again (except the tunnel has been disconnected manually for whatever reason). Is this really not configurable in USG?

In case a failed connectivity check let a tunnel disconnecting in any case, what about implementing a tunnel without using a connectivity check. Any thoughts in this regard?

Further, we know that the USG is always supervising the real tunnel state (beside the connectivity test result), since the following symbol is showing it:


Is it possible to read out this state by a CLI command query? Unfortunately we didn't find any documented.

Accepted Solution

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Answer ✓
    Hi @USG_User,
    We always recommend enable both settings.
    The Nailed-up used to prevent SA timeout.
    Connectivity checks which is used to detect whether the tunnel still up or not.
    Kevin

All Replies

  • PeterUK
    PeterUK Posts: 3,326  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    Have you enabled Nailed-Up in advance?


  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    Also... Nailed-UP should be enabled only on ONE side
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Hi @USG_User
    As PeterUK,mMontana advice, Kindly check the Nailed-up have been enabled. 
    Thank you
    Kevin
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited May 2022
    Thanks guys,
    Wasn't aware of "Nailed-up" option until now. Was a little bit hidden in an "Advanced" sub menu. Now we got it activated and will see whether it helps.

    Do you know the influence of an activated Connectivity Check to the Nailed-up function? Normally, and without having nailed-up activated, a failed connectivity check would let the tunnel disconnecting without automatic re-connect. But the connectivity check gives us information via email in case of problems with the tunnel. Insofar we would like to keep it activated. Or is it working against the nailed-up function?

    Seems I have to study the manual again ...

  • Zyxel_Kevin
    Zyxel_Kevin Posts: 875  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 500 Comments
    Answer ✓
    Hi @USG_User,
    We always recommend enable both settings.
    The Nailed-up used to prevent SA timeout.
    Connectivity checks which is used to detect whether the tunnel still up or not.
    Kevin

  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    After a few days the "nailed-up" option works great and reconnect the tunnel after a failure. Thanks again for the hint - problem solved. :)

Security Highlight