ATP 800 half ipsec tunnels don't up after reboot

Options
alexey
alexey Posts: 188  Master Member
First Comment Friend Collector Fifth Anniversary
edited June 2023 in Security

After hang and restart half of ipsec tunnels don't up with ZW 1000.

Need manually change passpharase to cert or from cert to passphara.

After that tunnel is build

On 1000 error

image.png

On ATP

Recv:[NOTIFY:INVALID_SIGNATURE]

All Replies

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,338  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Dear @alexey

    Thanks for reporting this case to us. Regarding the symptom that you mentioned, it should be the same as this discussion. Please continue collecting syslog information. If the VPN connection gets disconnected, please share the syslog file with us. This will help us identify the possible reason for the disconnection. Thanks.

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    @Zyxel_Jeff

    After update ATP800 to P2, all usg1000 tunnels up.

    Later on this week try some times reboot device and watch result

    Don't up 2 FLEX50W tunnels. Flex on P2 FW too.

    In logs error about duplicate ip adress, that problem in this thread

    https://community.zyxel.com/en/discussion/16813/arp-attack-from-inactive-interface-with-diff-ip

    Send new diag and IKE syslog from both devices to PM.

  • Zyxel_Jeff
    Zyxel_Jeff Posts: 1,338  Zyxel Employee
    100 Answers 500 Comments Friend Collector Fourth Anniversary

    Hi @alexey

    We noticed there is a message showing "2023 zw_holding src="10.0.1.254:500" dst="10.0.1.64:500" msg="IKE SA [vpn_dis_30km_vti_nova_ike2] is disconnected" note="IKE_LOG" user="unknown" devID="d8ece5c4598f" cat="IKE"", it could be the possible reason why the VPN is disconnected, please provide USG FLEX50W and ATP800 remote links to us for further checking. Thanks.

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)