VPN disconnects between USG-Flex 200 and Zywall USG-20
valerio_vanni
Posts: 116 Ally Member
in Security
I show topology:
-USG-Flex 200 has dual wan, static ips, and vpn policy is "site-to-site with dynamic peer".
Now it has latest firmware 5.31, but when I updated from 5.30 issue was already there
-Zywall USG-20 has single wan, static IP (natted but with all ports forwarded from upstream router), and vpn gateway policy is "site to site" (gateway peers are the others' wan interfaces addresses), "fall back option enable".
It has 3.30(BDQ.9) 2016-11-22 09:50:31 from much time (it was the latest version I had found).
Up to about a month ago, everything worked. And when it stopped I hadn't done configuration changes.
No after some hour the tunnel goes down.
If I reboot USG-Flex 200 nothing happens.
If I reboot Zywall USG-20, the connection goes up. But after some hour it disconnects. If I go on USG-20, and click "dial", it doesn't connect (timeout after 30 seconds). The only thing, beside reboot, is unactivate vpn connection, save, enable, save.
When it's disconnected, in USG-20 I find (in loop):
Send: [HASH][SA][NONCE][KE][ID][ID]
The cookie pair is: <long entry>
ISAKMP SA: VPN... is disconnected
And on USG-Flex 200:
2022-08-24 00:30:09
info
IKE
Send:[KE][NONCE][PRV][PRV]
185.*.*.*:500
82.*.*.*:500
IKE_LOG
657
2022-08-24 00:30:08
info
IKE
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
185.*.*.*:500
82.*.*.*:500
IKE_LOG
658
2022-08-24 00:30:08
info
IKE
The cookie pair is : 0x05f902e6aa538e8f / 0xa951211954ab5b2c [count=2]
185.*.*.*:500
82.*.*.*:500
IKE_LOG
845
2022-08-24 00:28:33
info
IKE
[COOKIE] Invalid cookie, no sa found [count=4]
185.*.*.*:500
82.*.*.*:4500
IKE_LOG
846
2022-08-24 00:28:33
info
IKE
The cookie pair is : 0x93a1fd5733c545f8 / 0xfafb9ac9804c6a1f [count=4]
185.*.*.*:500
82.*.*.*:4500
IKE_LOG
871
2022-08-24 00:28:17
info
IKE
[COOKIE] Invalid cookie, no sa found
185.*.*.*:500
82.*.*.*:4500
IKE_LOG
872
2022-08-24 00:28:17
info
IKE
The cookie pair is : 0x93a1fd5733c545f8 / 0xfafb9ac9804c6a1f
185.*.*.*:500
82.*.*.*:4500
IKE_LOG
895
2022-08-24 00:28:01
info
IKE
[COOKIE] Invalid cookie, no sa found [count=5]
185.*.*.*:500
82.*.*.*:4500
IKE_LOG
896
2022-08-24 00:28:01
info
IKE
The cookie pair is : 0x93a1fd5733c545f8 / 0xfafb9ac9804c6a1f [count=5]
0
All Replies
-
Hi @valerio_vanni
On USG20, you can enable "Nailed-Up" and "Connectivity Check" function in VPN Connection setting.
Then USG20 will auto dial-up VPN tunnel when Connectivity Check fail.
0 -
Zyxel_Stanley said:Hi @valerio_vanni
On USG20, you can enable "Nailed-Up" and "Connectivity Check" function in VPN Connection setting.
Then USG20 will auto dial-up VPN tunnel when Connectivity Check fail.It's already set this way.Like it was when it was working.0 -
May I assume that is selected NAT-Traversal on one of the sides?Which is the time for re-key on gateway and connection?How old is the ethernet cable between USG20 and the ISP router?Does your ISP's router have a "firewall function"? How it's configured for Port forwarding? Single cfg for all rules or specific ports are forewarded?
0 -
mMontana said:1) May I assume that is selected NAT-Traversal on one of the sides?2) Which is the time for re-key on gateway and connection?3) How old is the ethernet cable between USG20 and the ISP router?4) Does your ISP's router have a "firewall function"? How it's configured for Port forwarding? Single cfg for all rules or specific ports are forewarded?1) Yes2) On Zywall USG-20: Phase1 and Phase2 86400; On USG-Flex 200: Phase1 86400 and Phase2 288003) I have no idea. I installed that firewall in 2021, and I'm pretty sure I didn't put crapware between router and firewall. A note: only vpn tunnel goes down after some hours, I'm always able to login remotely by ssh or https.If there's something really old, it's Zywall USG-20 ;-)4) It has a single rule that forwards everything to firewall0
-
Hi @valerio_vanni
If there are multiple "Server Role" VPN rules on FLEX200?
If yes, we will suggest to configure "Local ID" on USG20.(Phase 1 setting)
It could help VPN service working the traffic in correct VPN tunnel when there are multiple Dynamic VPN tunnels.0 -
@valerio_vanni i'd lower the SA Lifetime for all phases and devices to 28800.
0 -
mMontana said:@valerio_vanni i'd lower the SA Lifetime for all phases and devices to 28800.I'll try.The last two things I tried last days, on Zywall USG-20:1) Reloaded firmware (same version, there is nothing new from 2016)2) Reloaded a configuration file from many months ago, when everything worked.But nothing changed.0
-
Zyxel_Stanley said:Hi @valerio_vanni
If there are multiple "Server Role" VPN rules on FLEX200?
If yes, we will suggest to configure "Local ID" on USG20.(Phase 1 setting)
It could help VPN service working the traffic in correct VPN tunnel when there are multiple Dynamic VPN tunnels.There are 2 "server role" VPN connection on Flex200, one for plain dynamic ipsec tunnels (for PCs) and the other for dynamic L2TP/Ipsec tunnels (for Android phones). Both of them take "any" as remote id.But the rule between Flex200 and Zywall USG-20 is a "site to site" one, not a "server role" (in detail "site to site" in old USG-20 interface and "site to site with dynamic peer" in newer Flex200 interface.They have mirrored explicit settings, (I don't put real name because they contain company names, but it's something like on USG20: local=usg20.local / remote=flex200.local and on flex200: local=flex200.local / remote=usg20.local).What's wrong with this mirrored settings, that worked many months? I don't understand why this could lead traffic in wrong vpn tunnel.0 -
valerio_vanni said:mMontana said:@valerio_vanni i'd lower the SA Lifetime for all phases and devices to 28800.I'll try.
0 -
A month ago was the ISP changed?Did you asked to your ISP if there were any change?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight