Ipsec via main GW stops work, Found old outbound SPI error in debug log

alexey
alexey Posts: 188  Master Member
First Comment Friend Collector Fifth Anniversary
edited April 2021 in Security

Hello.

Today stop working ipsec vpn tunnel beetween ZW USG1100 & 1000.

Connection estabilished every some seconds, but no transfer traffic via it.

In debug logs many errors "Found old outbound SPI %id".

I can't see same errors in others identical scheme of ipsec.

Helps only manually set second vpn gw as main gw or reboot ZW1100.

This problem looks like our old problem https://businessforum.zyxel.com/discussion/2015/trouble-with-failover-ipsec-vpn-by-reconnect-to-second-gw#latest

But earlier we have problem with unexpected reboots every 2-3 days, and this is was very rare problem.

Now, than our ZW workes without reboots, this problem is becoming more common.

EDIT1: second site is off with same problem. Same error in logs, but we don't have reserv vpn in it.

EDIT2: on second site all normalizied after 3 hours without any config change

EDIT3: 3 more sites are off. What cause of this may be?

EDIT4: 5 sites are down. Need help! Add samples of ike and debug log.

debug log.txt
ike log.txt


«134

All Replies

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    HI @alexey

    Can you provide both device remote access via private message.

    We need to check this issue on live site.

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Hi. Send info via PM.

    I add access for ip 61.220.247.157-158 & 36.227.179.82

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    The problem still persists. I will try collect debug log to Monday.

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    2 sites still don\t work. They with 1 vpn provider.

    In ZW logs repeatedly messages like

    110 2019-07-22 11:12:44 debug IPSec [vpn_mar_evrasia(#23)]created incoming IPsec flow, idx: 162771 192.168.18.100 192.168.0.99 IPSec

    112 2019-07-22 11:12:44 debug IPSec Creating flow: lifetime: 73440, time: 1563750764 192.168.18.100 192.168.0.99 IPSec

    126 2019-07-22 11:12:44 debug IKE Initiator recv:[IDcr: ipv4_subnet(any:0,[0..7]=172.20.39.0/24)] 192.168.18.100:500 192.168.0.99:500 IKE_LOG

    127 2019-07-22 11:12:44 debug IKE Initiator recv:[IDci: ipv4_subnet(any:0,[0..7]=172.20.0.0/20)] 192.168.18.100:500 192.168.0.99:500 IKE_LOG

    184 2019-07-22 11:12:41 debug IPSec Sending tunnel, i: 43, transform_index: 234882934(0x0e000776), event: 1 192.168.18.100 192.168.0.99 IPSec

    259 2019-07-22 11:12:38 debug IKE Found old outbound SPI 0x76a35a68 (tunnel: vpn_mar_evrasia(#23)) 192.168.18.100 192.168.0.99:500 IKE_LOG

    272 2019-07-22 11:12:38 debug IKE Responder recv:[IDcr: ipv4_subnet(any:0,[0..7]=172.20.0.0/20)] 192.168.18.100:500 192.168.0.99:500 IKE_LOG

    273 2019-07-22 11:12:38 debug IKE Responder recv:[IDci: ipv4_subnet(any:0,[0..7]=172.20.39.0/24)] 192.168.18.100:500 192.168.0.99:500 IKE_LOG

    431 2019-07-22 11:12:31 debug IPSec Sending tunnel, i: 18, transform_index: 234882934(0x0e000776), event: 5 192.168.18.100 192.168.0.99 IPSec

    583 2019-07-22 11:12:28 debug IPSec Sending tunnel, i: 3, transform_index: 234882934(0x0e000776), event: 1 192.168.18.100 192.168.0.99 IPSec

    VPN connects and reconnects every 10-15 seconds.

    I collected and attach debug log for monday morning.

    vpn_debug.log


  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Hello all.

    Today it starts again on 1 site after shutdown on it. After power on, ipsec connect\disconnect every 10 seconds without traffic. Help only change main VPN gate.

    ZW1100 start write very large debug logs in last 2 days.

    Attach it.

    debug.log


  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @alexey

    I will contact you via private message to clarify this issue.

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Today 1 more vti tunnel stops working ?

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    At this moment we have 3 dead vti interfaces in 8 vti trunks each with 2 vti connections

    Connection estabilished, but it can't check connection and marks interface as dead.

    In central site we use USG1100 V4.33(AAPK.0)ITS-WK12-2019-04-12-190300744, on other site USG1100 V4.33(AAPK.0) and 2 USG20W-VPN with V4.33(ABAR.0) & V4.32(ABAR.0). On old USG1000 fw is 3.30(AQV.7)ITS-WK28-r72114.

  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    I start collect packets on same vti interfaces on both USG1100.

    All packets from central ZW fails with error "no response seen"

    From other ZW1100, it have records "no response seen" and answers to main ZW.

    caps.7z


  • alexey
    alexey Posts: 188  Master Member
    First Comment Friend Collector Fifth Anniversary

    Today 1 site stoped work again ?.

    We waiting solution, it's not cool change gw or ZW ip manually. 

Categories

Security Highlight


Read more

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)