Trouble with failover ipsec vpn by reconnect to second gw

alexey
alexey Posts: 188  Master Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security
Hi!
We have issue on some (not all) sites between ZW USG 1100 & ZW USG 1000.
Failover ipsec vpn by 2 diff providers.
After main providers fall, vpn tunnel reconnect by 2 provider, vpn tunnel estabilished, but site on ZW 1000 isn't available.
VPN reconnect every 6-10 seconds.
In debug log on ZW 1100 have some strange lines
ESP packet SPI: xxxxxxxxxx: SEQ: xx, execute rule: ret_rl:10, ret_re: 1
SPI: xxxxxxxxxx (xxxxxxxxxx) SEQ: 0x24 (xx) No rule found, Dropping ESP packet. ret=1, step=11
Dropping packet. ret=1, step=11
In source we have ip of 2nd provider on ZW 1000, but in dest ip 1st provider on ZW 1100.
In ZW 1000 debug is clear.
We have around 20 same instances, but problem only on 2 more than a year of use.
The settings are identically, differents only vpn lan, providers ip & ipsec authentication.
Try search problem by providers side, but they give l2 vlan without any modification in traffic.
What problem can be?



All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,376  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @alexey,

     

    Do both USG1100 and ZyWALL USG 1000 have two wan connections in the scenario of VPN failover?

    Can you share the configuration files of these two sites with us?

    I'd like to check the configurations and run some tests.   

  • IT_Field_Support
    IT_Field_Support Posts: 97  Ally Member
    First Comment Friend Collector Fifth Anniversary

    Hi,


    I have a similar problem, IPSEC vpn dropping packet but no failover. What did you do in your case ?

    IPSec Dropping packet. ret=1, step=11    
    IPSecSPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet. ret=1, step=11
    IPSec Dropping packet. ret=1, step=11
    IPSec SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping UDP packet. ret=1, step=11
    


    Thanks,


    Davy

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Hi @IT_Field_Support .

    Its old toppic for our problem. The new is

    If you have 2 providers, and problems is same our, Zyxell support simply created 1 security rule to block ESP service between both vpn lans.

    For some understanding reason, one vpn try to routes via second vpn provider. But blocking this on policy control resolved our problem.


    I hope this help you.

  • IT_Field_Support
    IT_Field_Support Posts: 97  Ally Member
    First Comment Friend Collector Fifth Anniversary

    Thanks Alex, but I think my problem is different, I just created a new post in the forum.


    All the best,


    Davy

Security Highlight