loss of packets within a VPN ipsec tunnel

noc_aba

Hello

I've a couple of ATP500 (5.40 firmware) perfectly connected to Internet. A site to site IPSEC VPN established between the two ATP500, that has worked fine for months. Today there is a significat loss of packet when a host from site A pings an host on site B, and viceversa. The Internet traffic is not affected at all. We have tried everything, the problem remains.

If we establish a VPN to each of them, from other ATP firewalsl, there is no packet loss.

Any hint ?

regards

Paolo

Zyxel_Judy

Hi @noc_aba ,

To better understand the issue, could you share the ping results when pinging from a host on site A to a host on site B, and vice versa?

noc_aba

Hi Judy

192.168.12.1 lan interface atp500 B, 192.168.1.100 lan interface of atp500 A

VPN site-to-site is between 192.168.1.0/24 and 192.168.12.0/24.

Problem appeared suddenly yesterday morning after months of normal working.

pls find below a ping isuued this morning on atp500 A

Router# ping 192.168.12.1 source 192.168.1.100 forever
PING 192.168.12.1 (192.168.12.1) from 192.168.1.100 : 56(84) bytes of data.
64 bytes from 192.168.12.1: icmp_seq=1 ttl=63 time=28.1 ms
64 bytes from 192.168.12.1: icmp_seq=2 ttl=63 time=27.6 ms
64 bytes from 192.168.12.1: icmp_seq=3 ttl=63 time=28.2 ms
64 bytes from 192.168.12.1: icmp_seq=5 ttl=63 time=28.1 ms
64 bytes from 192.168.12.1: icmp_seq=6 ttl=63 time=27.8 ms
64 bytes from 192.168.12.1: icmp_seq=8 ttl=63 time=94.7 ms
64 bytes from 192.168.12.1: icmp_seq=9 ttl=63 time=28.4 ms
64 bytes from 192.168.12.1: icmp_seq=12 ttl=63 time=27.8 ms
64 bytes from 192.168.12.1: icmp_seq=15 ttl=63 time=27.8 ms
64 bytes from 192.168.12.1: icmp_seq=16 ttl=63 time=28.2 ms
64 bytes from 192.168.12.1: icmp_seq=17 ttl=63 time=28.0 ms
64 bytes from 192.168.12.1: icmp_seq=18 ttl=63 time=28.3 ms
^C
--- 192.168.12.1 ping statistics ---
18 packets transmitted, 12 received, 33% packet loss, time 17016ms
rtt min/avg/max/mdev = 27.616/33.628/94.755/18.432 ms
Router#

noc_aba

and viceversa

Password:
Router# ping 192.168.1.100 source 192.168.12.1 forever
PING 192.168.1.100 (192.168.1.100) from 192.168.12.1 : 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=63 time=28.4 ms
64 bytes from 192.168.1.100: icmp_seq=5 ttl=63 time=28.2 ms
64 bytes from 192.168.1.100: icmp_seq=6 ttl=63 time=28.4 ms
64 bytes from 192.168.1.100: icmp_seq=7 ttl=63 time=28.2 ms
64 bytes from 192.168.1.100: icmp_seq=8 ttl=63 time=27.8 ms
64 bytes from 192.168.1.100: icmp_seq=9 ttl=63 time=28.5 ms
64 bytes from 192.168.1.100: icmp_seq=10 ttl=63 time=28.2 ms
64 bytes from 192.168.1.100: icmp_seq=11 ttl=63 time=34.1 ms
64 bytes from 192.168.1.100: icmp_seq=12 ttl=63 time=27.7 ms
64 bytes from 192.168.1.100: icmp_seq=13 ttl=63 time=27.8 ms
64 bytes from 192.168.1.100: icmp_seq=15 ttl=63 time=30.1 ms
64 bytes from 192.168.1.100: icmp_seq=17 ttl=63 time=28.4 ms
^C
--- 192.168.1.100 ping statistics ---
19 packets transmitted, 12 received, 36% packet loss, time 18050ms
rtt min/avg/max/mdev = 27.784/28.870/34.185/1.703 ms
Router#

noc_aba

I forgot to say ATP500 is behind NAT. And I read on the release notes 5.40 (page 10):

"Not support site to site VPN behind NAT scenario both in On-Premises mode and On-Cloud mode".

However, for three days with 5.40, there were no problem in the VPN tunnel.

PeterUK

Do both ends not have subnets the other end have?

noc_aba

hello

I sai above:

VPN site-to-site is between 192.168.1.0/24 (site A) and 192.168.12.0/24 (site B)

PeterUK

So like site B does not have 192.168.1.0/24 on any of its interfaces?

if Anomaly Detection and Prevention (ADP) is enabled try disabling

noc_aba

disablig ADP does not solve the problem

PeterUK

can you do the following by SSH on both ATP and post what they show

show interface all

the following will show any interface disabled

show interface vlan

show interface ethernet