VPN disconnects between USG-Flex 200 and Zywall USG-20

valerio_vanni
valerio_vanni Posts: 116  Ally Member
5 Answers First Comment Friend Collector Third Anniversary
I show topology:

-USG-Flex 200 has dual wan, static ips, and vpn policy is "site-to-site with dynamic peer".
Now it has latest firmware 5.31, but when I updated from 5.30 issue was already there

-Zywall USG-20 has single wan, static IP (natted but with all ports forwarded from upstream router), and vpn gateway policy is "site to site" (gateway peers are the others' wan interfaces  addresses), "fall back option enable".

It has 3.30(BDQ.9) 2016-11-22 09:50:31 from much time (it was the latest version I had found).

Up to about a month ago, everything worked. And when it stopped I hadn't done configuration changes.

No after some hour the tunnel goes down.
If I reboot USG-Flex 200 nothing happens.

If I reboot Zywall USG-20, the connection goes up. But after some hour it disconnects. If I go on USG-20, and click "dial", it doesn't connect (timeout after 30 seconds). The only thing, beside reboot, is unactivate vpn connection, save, enable, save.

When it's disconnected, in USG-20 I find (in loop):

Send: [HASH][SA][NONCE][KE][ID][ID]
The cookie pair is: <long entry>
ISAKMP SA: VPN... is disconnected

And on USG-Flex 200:

3
    
2022-08-24 00:30:09
    
info
    
IKE
    
Send:[KE][NONCE][PRV][PRV]
    
185.*.*.*:500
    
82.*.*.*:500
    
IKE_LOG
657
    
2022-08-24 00:30:08
    
info
    
IKE
    
Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID][VID]
    
185.*.*.*:500
    
82.*.*.*:500
    
IKE_LOG
658
    
2022-08-24 00:30:08
    
info
    
IKE
    
The cookie pair is : 0x05f902e6aa538e8f / 0xa951211954ab5b2c [count=2]
    
185.*.*.*:500
    
82.*.*.*:500
    
IKE_LOG
845
    
2022-08-24 00:28:33
    
info
    
IKE
    
[COOKIE] Invalid cookie, no sa found [count=4]
    
185.*.*.*:500
    
82.*.*.*:4500
    
IKE_LOG
846
    
2022-08-24 00:28:33
    
info
    
IKE
    
The cookie pair is : 0x93a1fd5733c545f8 / 0xfafb9ac9804c6a1f [count=4]
    
185.*.*.*:500
    
82.*.*.*:4500
    
IKE_LOG
871
    
2022-08-24 00:28:17
    
info
    
IKE
    
[COOKIE] Invalid cookie, no sa found
    
185.*.*.*:500
    
82.*.*.*:4500
    
IKE_LOG
872
    
2022-08-24 00:28:17
    
info
    
IKE
    
The cookie pair is : 0x93a1fd5733c545f8 / 0xfafb9ac9804c6a1f
    
185.*.*.*:500
    
82.*.*.*:4500
    
IKE_LOG
895
    
2022-08-24 00:28:01
    
info
    
IKE
    
[COOKIE] Invalid cookie, no sa found [count=5]
    
185.*.*.*:500
    
82.*.*.*:4500
    
IKE_LOG
896
    
2022-08-24 00:28:01
    
info
    
IKE
    
The cookie pair is : 0x93a1fd5733c545f8 / 0xfafb9ac9804c6a1f [count=5]

«1

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @valerio_vanni
    On USG20, you can enable "Nailed-Up" and "Connectivity Check" function in VPN Connection setting.
    Then USG20 will auto dial-up VPN tunnel when Connectivity Check fail.

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Hi @valerio_vanni
    On USG20, you can enable "Nailed-Up" and "Connectivity Check" function in VPN Connection setting.
    Then USG20 will auto dial-up VPN tunnel when Connectivity Check fail.


    It's already set this way.
    Like it was when it was working.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    May I assume that is selected NAT-Traversal on one of the sides?
    Which is the time for re-key on gateway and connection?
    How old is the ethernet cable between USG20 and the ISP router?
    Does your ISP's router have a "firewall function"? How it's configured for Port forwarding? Single cfg for all rules or specific ports are forewarded?


  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    mMontana said:
    1) May I assume that is selected NAT-Traversal on one of the sides?

    2) Which is the time for re-key on gateway and connection?

    3) How old is the ethernet cable between USG20 and the ISP router?

    4) Does your ISP's router have a "firewall function"? How it's configured for Port forwarding? Single cfg for all rules or specific ports are forewarded?


    1) Yes

    2) On Zywall USG-20: Phase1 and Phase2 86400; On USG-Flex 200: Phase1 86400 and Phase2 28800

    3) I have no idea. I installed that firewall in 2021, and I'm pretty sure I didn't put crapware between router and firewall. A note: only vpn tunnel goes down after some hours, I'm always able to login remotely by ssh or https.
    If there's something really old, it's Zywall USG-20 ;-)

    4) It has a single rule that forwards everything to firewall
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,377  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @valerio_vanni
    If there are multiple "Server Role" VPN rules on FLEX200?
    If yes, we will suggest to configure "Local ID" on USG20.(Phase 1 setting)

    It could help VPN service working the traffic in correct VPN tunnel when there are multiple Dynamic VPN tunnels.
  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    @valerio_vanni i'd lower the SA Lifetime for all phases and devices to 28800.
  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    mMontana said:
    @valerio_vanni i'd lower the SA Lifetime for all phases and devices to 28800.
    I'll try.

    The last two things I tried last days, on Zywall USG-20:

    1) Reloaded firmware (same version, there is nothing new from 2016)
    2) Reloaded a configuration file from many months ago, when everything worked.

    But nothing changed.
  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    edited August 2022
    Hi @valerio_vanni
    If there are multiple "Server Role" VPN rules on FLEX200?
    If yes, we will suggest to configure "Local ID" on USG20.(Phase 1 setting)

    It could help VPN service working the traffic in correct VPN tunnel when there are multiple Dynamic VPN tunnels.

    There are 2 "server role" VPN connection on Flex200, one for  plain dynamic ipsec tunnels (for PCs) and the other for dynamic L2TP/Ipsec tunnels (for Android phones). Both of them take "any" as remote id.

    But the rule between Flex200 and Zywall USG-20 is a "site to site" one, not a "server role" (in detail "site to site" in old USG-20 interface and "site to site with dynamic peer"  in newer Flex200 interface.
    They have mirrored explicit settings, (I don't put real name because they contain company names, but it's something like on USG20: local=usg20.local / remote=flex200.local and on flex200: local=flex200.local / remote=usg20.local).

    What's wrong with this mirrored settings, that worked many months? I don't understand why this could lead traffic in wrong vpn tunnel.

  • valerio_vanni
    valerio_vanni Posts: 116  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    mMontana said:
    @valerio_vanni i'd lower the SA Lifetime for all phases and devices to 28800.
    I'll try.

    Tried, doesn't fix the issue.

  • mMontana
    mMontana Posts: 1,389  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary
    A month ago was the ISP changed?
    Did you asked to your ISP if there were any change?

Security Highlight