Ping timeout problem

PeterUK

USG FLEX 200H V1.21(ABWV.0)ITS-24WK35-0813-240800592

So after moving to the FLEX200H there are some problems I'm seeing not sure I can simplify this one it part of the fail over system now with Flex200H instead of Zywall 110.
https://community.zyxel.com/en/discussion/comment/51334/#Comment_51334

/ vrf "main" interface vlan "VLAN443" ipv4 address "192.168.44.1/28"
/ vrf "main" interface vlan "VLAN443" ipv4 address "192.168.44.4/28"

There are three ping rules to 192.168.44.4 to the Flex200H from VPN300

So when its working for one of these rules ping from 192.168.44.5 from VPN300 to 192.168.44.4 of FLEX200H which then does NAT of the ICMP to 192.168.254.33 and routing rule to SNAT from 192.168.44.1 static route 192.168.254.32/29 to 192.168.44.5 which the VPN300 sends down the tunnel to my FLEX200 for a reply which then replies back to FLEX200H and then reply back to VPN300.

With FLEX200H timeout for ICMP set to 5 seconds I I'm getting a lot of time outs where by the VPN300 would send a ping to 192.168.44.4 and FLEX200H would not do its thing but as a workaround if I set timeout for ICMP set to 1 second the problem mostly goes away.

My guess is due to the way ping is indirectly getting a reply that the FLEX200H still waits 5 seconds so when another ping happens to 192.168.44.4 its dropped.

PeterUK

PM sent to Judy to look at

PeterUK

What I get From VPN300 when FLEX200H timeout for ICMP set to 5 seconds

1

2024-09-16 11:35:42

notice

Connectivity Check

Policy Route 37 status is set to ACTIVE by connectivity-check



7

2024-09-16 11:35:41

notice

Connectivity Check

Policy Route 37 status is set to INACTIVE by connectivity-check




8

2024-09-16 11:35:41

alert

Connectivity Check

The link status of policy 37 is inactive.




9

2024-09-16 11:35:40

notice

Connectivity Check

Policy Route 36 status is set to ACTIVE by connectivity-check



10

2024-09-16 11:35:40

notice

Connectivity Check

Policy Route 35 status is set to ACTIVE by connectivity-check




12

2024-09-16 11:35:39

notice

Connectivity Check

Policy Route 36 status is set to INACTIVE by connectivity-check



14

2024-09-16 11:35:38

alert

Connectivity Check

The link status of policy 36 is inactive.



15

2024-09-16 11:35:38

notice

Connectivity Check

Policy Route 35 status is set to INACTIVE by connectivity-check




16

2024-09-16 11:35:38

alert

Connectivity Check

The link status of policy 35 is inactive.




20

2024-09-16 11:35:27

notice

Connectivity Check

Policy Route 36 status is set to ACTIVE by connectivity-check



22

2024-09-16 11:35:26

notice

Connectivity Check

Policy Route 36 status is set to INACTIVE by connectivity-check




23

2024-09-16 11:35:26

alert

Connectivity Check

The link status of policy 36 is inactive.



32

2024-09-16 11:35:09

notice

Connectivity Check

Policy Route 37 status is set to ACTIVE by connectivity-check




34

2024-09-16 11:35:08

notice

Connectivity Check

Policy Route 37 status is set to INACTIVE by connectivity-check



35

2024-09-16 11:35:08

alert

Connectivity Check

The link status of policy 37 is inactive.




36

2024-09-16 11:35:06

notice

Connectivity Check

Policy Route 35 status is set to ACTIVE by connectivity-check



38

2024-09-16 11:35:05

notice

Connectivity Check

Policy Route 35 status is set to INACTIVE by connectivity-check




39

2024-09-16 11:35:05

alert

Connectivity Check

The link status of policy 35 is inactive.



40

2024-09-16 11:35:00

notice

Connectivity Check

Policy Route 36 status is set to ACTIVE by connectivity-check


42

2024-09-16 11:34:59

notice

Connectivity Check

Policy Route 36 status is set to INACTIVE by connectivity-check



43

2024-09-16 11:34:59

alert

Connectivity Check

The link status of policy 36 is inactive.


44

2024-09-16 11:34:56

notice

Connectivity Check

Policy Route 37 status is set to ACTIVE by connectivity-check


46

2024-09-16 11:34:56

notice

Connectivity Check

Policy Route 37 status is set to INACTIVE by connectivity-check



47

2024-09-16 11:34:56

alert

Connectivity Check

The link status of policy 37 is inactive.



48

2024-09-16 11:34:54

notice

Connectivity Check

Policy Route 35 status is set to ACTIVE by connectivity-check


50

2024-09-16 11:34:53

notice

Connectivity Check

Policy Route 35 status is set to INACTIVE by connectivity-check 


51

2024-09-16 11:34:53

alert

Connectivity Check

The link status of policy 35 is inactive.

Zyxel_Judy

Hi @PeterUK,

We have a few points to discuss with you. Please check your private message.

PeterUK

Maybe I should start from the beginning as to the problem I need to solve

So I have a PC with LAN IP 192.168.255.55 with DNS 192.168.255.60 (which NAT to 192.168.255.62) which I only want to work when the VPN tunnel is drop when tunnel is up I have a routeing rule #35 that goes nowhere and the idea is when routing rule ping check fails the next routeing rule #39 becomes active and DNS for 192.168.255.55 works to 192.168.255.60 NAT to 192.168.255.62

As their is no way directly to send a routing rule ping down the tunnel on VPN300 I had to do it the way I said by having the routing rule do nothing to ping 192.168.44.4 which pings back 192.168.254.33 to go down the tunnel and comes out FLEX200 sending the reply to FLEX200H which is setup the way Zywall 110 was setup.

the problem just has to do with this ICMP timeout which works better at 1 then 5

Zyxel_Judy

Hi @PeterUK ,

Thank you for providing detailed information about the topology and testing steps via private message.

We were able to reproduce the issue and have identified a solution. This fix will be included in the next official firmware version, 1.30.

PeterUK

Looks to be fixed in V1.30 👍️