Ping over VTI Destination unreachable over time
Guru Member
USGFLEX200HV1.21(ABWV.0)
Setup is USG60W
LAN2 192.168.254.9 255.255.255.248
VLAN 55 192.168.55.1 255.255.255.0
VTI_test
IP 192.168.254.10
Pre-Shared Key 12345678
Phase 1 AES128 SH256 DH2
SA Life Time 300
Phase 2 AES128 SH1 DH2
SA Life Time 180
VTI IP 192.168.255.43 255.255.255.240
FLEX200H
Ge3 WAN3 192.168.254.10 255.255.255.248 gateway 192.168.254.9
P4 VLAN47192.168.255.39 255.255.255.240
VTI Route-based
IP 192.168.254.9
Pre-Shared Key 12345678
Phase 1 AES128 SH256 DH2
SA Life Time 300
Phase 2 AES128 SH1 DH2
SA Life Time 180
VTI IP 192.168.255.42 255.255.255.240
Nailed-up
routing rule
incoming VLAN47
Destination192.168.55.12
service ICMP
Next hop VTI
SNAT none
When pinging from192.168.255.40 to 192.168.55.12 over the VTI the FLEX200H will sometime do a Destination unreachable.
All Replies
-
So I might of jumped the gun on this along with this
https://community.zyxel.com/en/discussion/22135/speeded-up-sa-life-time-site-to-site-local-test-tunnel-drops-does-not-reconnect#latestand the manual is clear on this:
SA Life Time Set how often the Zyxel Device renegotiates the IKE SA. A short SA life time increases security, but renegotiation temporarily disconnects the VPN tunnel. The value you set for the SA life time in Phase 1 Settings should be greater than or equal to the value you set for the SA life time in Phase 2 Settings.So I'm seeing it happen every 10 minutes yet my Phase 1 is every 300 which is 5 minutes so you would think it would happen every 5 minutes so changed that back to 86400 but with Phase 2 is every 180 seconds no problem so its when Phase 1 has to renegotiation along with Phase 2 which there is a delay causes a drop out.
0 -
Hi @PeterUK
After reviewing your configuration, it appears that there is an IP address overlap between VLAN47 and the VTI interface on your FLEX200H device. The overlapping IP range (192.168.255.32/28, covering IPs 192.168.255.33 to 192.168.255.46) can cause traffic routing issues, which might explain the intermittent "Destination unreachable" responses you are seeing when pinging across the VTI.
To resolve this, we recommend changing the VLAN IP subnet to a different segment to eliminate the overlap. After making this change, please test the connection again to see if the issue persists.
Let us know if this resolves the problem or if you need further assistance.
0 -
Yes but also no as I will explain but this problem was setting the SA life time low causing the VPN to renegotiates Phase 1 and Phase 2 which there is a delay causes a drop out.
So ok let start with the way I have it setup I can ping 192.168.55.12 and the Flex can DNS over VTI
You want me to change VLAN47 subnet on Flex OK I change to 192.168.25.39/28 I can DNS (note I do “cmd dns proxy clear-cache” on the Flex) because its from VTI IP 192.168.255.42 but now I can't ping 192.168.55.12 so on the USG60W I change VTI IP to 192.168.25.43 now I can ping 192.168.55.12 but can't DNS.
0 -
delete
0
Zyxel Employee
Categories
- All Categories
- 414 Beta Program
- 2.2K Nebula
- 130 Nebula Ideas
- 88 Nebula Status and Incidents
- 5.4K Security
- 166 USG FLEX H Series
- 255 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 999 Wireless
- 36 Wireless Ideas
- 6.2K Consumer Product
- 233 Service & License
- 370 News and Release
- 77 Security Advisories
- 24 Education Center
- 5 [Campaign] Zyxel Network Detective
- 2.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 80 About Community
- 69 Security Highlight
