TCP-Aging in IPsec Site-to-Stie VPN

moebi
moebi Posts: 3  Freshman Member
First Comment Friend Collector Fourth Anniversary
edited April 2021 in Security

Hello,

i have the problem on my usg/zywall that the comunication from my server in network A to my ec-cash terminal in network B don't work very well.
It seems there would be a tcp-aging in the side-to-side ip sec vpn, after about five minutes the communication do not work as well.

The problem ist the ZVT-Protokoll the communication is only when somone payed via EC-Cash therer are no Keep-Alive packages between server an terminal.

Is it possible to turn of tcp-aging in the vpn session?
The communication port ist 22000

on network a is a zywall110
on network b is an usg20

in the attachments is a wireshark dump

please help me!

Felix






Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @moebi

    Can you attache packets on system again?
  • moebi
    moebi Posts: 3  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    here is the file

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,378  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary

    Hi @moebi  

    In the packets No#15, it has enabled “don’t fragment” bit, so the packets may dropped due to packets size too large. 

    You can enable “ignore don’t fragment” function on both of USG.

    And try it again.


  • moebi
    moebi Posts: 3  Freshman Member
    First Comment Friend Collector Fourth Anniversary

    Hi,


    thanks for your help, but i have the same issue when Ignore don't fragment is enabled on both zywalls.

    I also have the same problem when i tried this with port forwarding.

    But it is only when i use Zywall, the old Router with dd-wrt works fine.

  • Blabababa
    Blabababa Posts: 151  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    Is there any VPN related log on the device log page? Only the specific application will be disconnected or the whole VPN connection went down when the symptom happens?

  • mMontana
    mMontana Posts: 1,380  Guru Member
    50 Answers 1000 Comments Friend Collector Fifth Anniversary

    @moebi I know seems a bit fool but IMVHO should be checked: are both device correctly time synced?

    Also: which kind set of protocol, encryption, authentication and PFS are you using?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @moebi

    Welcome to Zyxel Community. ?

    For TCP aging, we can modify the TCP session status time out value on USG, but from the packet trace, It seems to me that it’s not related to TCP aging.

    As you can see, 10.2.232.23 got no response from peer 192.168.101.40, then it send a packet with [rst,ack] frag to terminate the session.

    Also, in general, application should have mechanism to handle keep-alive event, not just rely on TCP layer.


    The following cli are device session settings, you can have a quick test and see if the issue is due to this.

    Check device tcp session time out:

    Router# show session timeout tcp|udp|icmp

    Modify Device session time out value:

    Router(config)# session timeout tcp-established xxx


Security Highlight