TCP-Aging in IPsec Site-to-Stie VPN

moebi
moebi Posts: 3
First Anniversary Friend Collector First Comment
edited April 2021 in Security

Hello,

i have the problem on my usg/zywall that the comunication from my server in network A to my ec-cash terminal in network B don't work very well.
It seems there would be a tcp-aging in the side-to-side ip sec vpn, after about five minutes the communication do not work as well.

The problem ist the ZVT-Protokoll the communication is only when somone payed via EC-Cash therer are no Keep-Alive packages between server an terminal.

Is it possible to turn of tcp-aging in the vpn session?
The communication port ist 22000

on network a is a zywall110
on network b is an usg20

in the attachments is a wireshark dump

please help me!

Felix






Comments

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @moebi

    Can you attache packets on system again?
  • moebi
    moebi Posts: 3
    First Anniversary Friend Collector First Comment

    here is the file

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,366  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @moebi  

    In the packets No#15, it has enabled “don’t fragment” bit, so the packets may dropped due to packets size too large. 

    You can enable “ignore don’t fragment” function on both of USG.

    And try it again.


  • Hi,


    thanks for your help, but i have the same issue when Ignore don't fragment is enabled on both zywalls.

    I also have the same problem when i tried this with port forwarding.

    But it is only when i use Zywall, the old Router with dd-wrt works fine.

  • Blabababa
    Blabababa Posts: 151  Master Member
    First Anniversary Friend Collector First Answer First Comment

    Is there any VPN related log on the device log page? Only the specific application will be disconnected or the whole VPN connection went down when the symptom happens?

  • mMontana
    mMontana Posts: 1,300  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer

    @moebi I know seems a bit fool but IMVHO should be checked: are both device correctly time synced?

    Also: which kind set of protocol, encryption, authentication and PFS are you using?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,450  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @moebi

    Welcome to Zyxel Community. ?

    For TCP aging, we can modify the TCP session status time out value on USG, but from the packet trace, It seems to me that it’s not related to TCP aging.

    As you can see, 10.2.232.23 got no response from peer 192.168.101.40, then it send a packet with [rst,ack] frag to terminate the session.

    Also, in general, application should have mechanism to handle keep-alive event, not just rely on TCP layer.


    The following cli are device session settings, you can have a quick test and see if the issue is due to this.

    Check device tcp session time out:

    Router# show session timeout tcp|udp|icmp

    Modify Device session time out value:

    Router(config)# session timeout tcp-established xxx


Security Highlight