IPSec sessions on the firewall not terminated after a while of being idle?

Zyxel_USG_User

I have the following scenario: I manually connect with a device (smartphone or notebook) and via IPSec VPN client (the ones generated by the USG-20W-VPN), StrongSwan resp. Win1x Client from outside.

Now, when I take the device(s) again in WiFi range, they reconnect to the WiFi ergo the IPSec tunnel is not used anymore. Now, If I log onto the firewall even hours after having used the IPSec tunnels, the tunnels are shown as active in the overview, even if they are long time not used anymore. All the traffic goes via LAN cable or WiFi, since hours. Now, only if I click the refresh button up right in the overview, I just afterwards see the IPSec tunnel disconnecting.

Is this a bug, or a feature? 😋

Shouldn't the firewall disconnect after an idle time and a preset timeout, the tunnel from itself?

The log shows that only after me actively pressing refresh, the connection has been terminated. The device has been used via WiFi for 1-2 hours already, but the IPSec tunnel of this device was still left in limbo state on the firewall, even if manually terminated on smartphone :) as I understand.

Summary- IPSec connection definitely used maximally between 11:51 (correct timestamp), until 17:51. Afterwards, smartphone changed to WiFi. I have to stop the StrongSwan client, as it tries to reconnect unsuccessfully. So, manually stopped the VPN, and smartphone now connected via WiFi to internet. Latest by 17:52 the IPSec connection is not used anymore, but still not only shown as active in the GUI, but also in the logs there is no disconnection. The disconnection occurs only after I pressed the refresh button on the GUI.

Zyxel_Judy

Hi @Zyxel_USG_User ,

Which firmware version are you using?

We tested the scenario using a USG 20W VPN with firmware version 5.39P1, but our logs and VPN dashboard correctly showed the timestamp when our VPN clients disconnected.

Please check your firmware version and verify the exact time when your VPN clients disconnected against what's shown in your device GUI. If the issue persists, we may need a remote session to investigate further.

Zyxel_USG_User

Firmware on the firewall is V5.39(ABAR.1).

I assume that we misunderstand each other. When I deliberately disconnect and reconnect, the timestamps are accurate in the logfiles and the GUI- as you posted as well.

Now, to the current problem:

1. take a smartphone, eg with StrongSwan IPSec VPN.
2. Activate the tunnel session to the firewall, then
3. put the phone in an isolated box so that it has no data traffic whilst the tunnel has not been terminated. Or put it in flight mode.
4. You will see that the tunnel, despite no traffic, is not timed out or disconnected on the firewall by the firewall itself even after hours.

Looking at the smartphone in flight mode - phone tries to terminate the VPN in the StrongSwan log because it cannot reach (!) which is a bit funny from the procedural point of view, obviously data does not 'get out'. If it cannot reach the firewall, why does it still try to send termination data out…

Looking at the firewall side, the firewall even if it does not receive data, remains in limbo status showing the connection in the GUI indefinitely even if no data is sent and received via that connection.

When I remove the flight mode on the smartphone, then manually terminate the tunnel/disconnect in StrongSwan, it logs and displays correctly the tunnel termination. Otherwise, no tunnel termination on the firewall, from the firewall itself for an 'gone idle' connection, indefinitely. Well, firewall reboot removes the connection :) but that should not be the standard procedure for vpn tunnels in indefinite states of connection.

What I assume is that the firewall does not terminate an IPSec connection from itself after a threshhold of no-data has been reached?