L2TP VPN disconnects on Android Phone in 2mins

PeterUK
PeterUK Posts: 3,331  Guru Member
100 Answers 2500 Comments Friend Collector Seventh Anniversary
edited April 2021 in Security

ZyWALL 110 V4.33(AAAA.0)ITS-WK30-r89425

I'm sure this used to be stable the setup is fine the VPN connects and traffic goes down the VPN but only for 2mins then it disconnects.

Edit I'm back with bad news

So I rolled back the firmware...which was painful to do.

tried

4.33(AAAA.0)

then

V4.30(AAAA.0)

then!

V4.25(AAAA.1)C0

and ONLY then was the VPN stable, but this firmware has the MAC not set on reboot bug so maybe thats the reason?

I got

425AAAA1ITS-WK33-2017-08-24-170800167

to test which I think has the MAC problem fixed and if the VPN works stable on them.

Edit2

Tested 425AAAA1ITS-WK33-2017-08-24-170800167 that has the set interface MAC on reboot bug fixed and the VPN is stable so the problem happened between.

425AAAA1ITS-WK33-2017-08-24-170800167

and

V4.30(AAAA.0)

«13

Comments

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    Hi PeterUK just a suggestion if you are using L2TP over IPSEC for these mobile devices to stop is logging out .

    for L2TP that we use for our clients is to set the l2tp-over-ipsec keepalive timer to the maximum of 180 secs.

    Router> show l2tp-over-ipsec
    L2TP over IPSec:
     activate     : yes
     crypto      : vpn_connection_testremote_l2tp
     address pool   : test_remote_vpn_l2tp_subpool
     authentication  : default
     certificate    : default
     user       : test_local_vpn_users
     keepalive timer  : 180
     first dns server : 10.236.119.1
     second dns server : 
     first wins server : 
     second wins server:
    

    as you probably know but for the benefit of others, simply set it via the cli as:

    Router> configure terminal
    Router(config)# l2tp-over-ipsec keepalive-timer 180
    Router(config)# exit
    


    worth a try mate.

    HTH

    Warwick

    Hong Kong

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Thanks for the suggestion I changed the keepalive timer in the GUI to 180 but it did not help.

  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary

    HI Pete, ah ok .. worth a try ..?


    w

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    If anything a lower value would make it stable so tried 30 but same thing it disconnects around 2mins.

    My Android Phone has version 7 with security patch level 5 December 2017.

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    Well things got worse I try a VPN on windows 10 all is fine on 425AAAA1ITS-WK33-2017-08-24-170800167 go to 4.33(AAAA.0) disconnects in 2mins!

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited September 2019

    Ok not sure if this is a bug or not but I had in User/Group.

    vpn1 with

    lease time to 2mins

    and reauthentication time to 1440mins

    If I change lease time to 1440mins same as reauthentication it will stay up past 2mins

    if I change lease time to 2mins and reauthentication to 1min it only stays up for 1min

    So should the reauthentication extend the lease time when the device is connected?

    I'm going to do some tests with how V4.25(AAAA.1)ITS-WK33-2017-08-24-170800167 handles lease time and reauthentication but even then it might have a bug because its lease time is 2mins and reauthentication time is 1440mins which makes no sense.

    edit

    Ok so going by the help file reauthentication is how long the user can stay logged in for before needing to reconnect and lease time is the time the device has to renew the current session to stay connected? So that would mean there is a bug in the V4.33 that the device renews in 2mins but ZyWALL disconnects the device instead?

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK

    The one with a smaller value will be disconnected first in L2TP scenario.

    In L2TP scenario, either timer will force the L2TP VPN disconnect when it expires. It will depend on which timer expires firstly. However, in web authentication scenario, both timers will have different purpose

    Web authentication:

    Lease time: It will disconnect the users, however, users can renew the timer by themselves.

    Reauth timer: It will force to logout users when the timer expires.

  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    "Lease time: It will disconnect the users, however, users can renew the timer by themselves."

    Yes in SSL VPN with it set to 2mins it renews fine but with L2TP VPN it disconnects when set to 2mins with V4.33(AAAA.0)ITS-WK30-r89425 yet with 425AAAA1ITS-WK33-2017-08-24-170800167 it renews fine when set to 2mins.

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,511  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 100 Answers 1000 Comments

    Hi @PeterUK

    Thanks for the information. I did the test on V4.33WK30 and V4.25WK33 to compare the behavior difference between both version.

    The V4.33 is correct. In V4.25, no matter what value you set on lease time, it will auto renew every 30 seconds.       


  • PeterUK
    PeterUK Posts: 3,331  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary

    so its a bug in V4.33 for L2TP VPN?

Security Highlight