VPN IPsec site to site and L2TP stop working when few SLL VPN sessions is up
All Replies
-
Hi,
configuration is updated like you advice
but still same problem, L2TP/IPsec client can't connect, when is more then 2 "two" sesion's SSL VPN client
for me, it's seem like authentication process not working properly in that condition, in log i see "tunnel is build successful " , but nothing about permission granted or refused for that L2TP user, and tunnel is destroyed, log below,172020-04-30 09:34:27infoIKETunnel [L2TP_VPN:L2TP_VPN:0x9cbfcf34] is disconnected46.170.5.146:50087.204.80.201:4500IKE_LOG182020-04-30 09:34:27infoIKEThe cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b46.170.5.146:50087.204.80.201:4500IKE_LOG192020-04-30 09:34:26infoIKEISAKMP SA [L2TP_VPN] is disconnected46.170.5.146:450087.204.80.201:4500IKE_LOG202020-04-30 09:34:26infoIKEThe cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b46.170.5.146:450087.204.80.201:4500IKE_LOG212020-04-30 09:34:26infoIKEReceived delete notification87.204.80.201:450046.170.5.146:4500IKE_LOG222020-04-30 09:34:26infoIKERecv:[HASH][DEL] [count=2]87.204.80.201:450046.170.5.146:4500IKE_LOG232020-04-30 09:34:26infoIKEThe cookie pair is : 0x5d705e072f143e8b / 0x9aa9c3c4e02ffe38 [count=3]87.204.80.201:450046.170.5.146:4500IKE_LOG462020-04-30 09:33:51infoIKEDynamic Tunnel [L2TP_VPN:L2TP_VPN:0x9cbfcf34] built successfully46.170.5.146:450087.204.80.201:4500IKE_LOG472020-04-30 09:33:51infoIKE[ESP 3des-cbc|hmac-sha1-96][SPI 0x4724e8e5|0x9cbfcf34][Lifetime 3620]46.170.5.146:450087.204.80.201:4500IKE_LOG482020-04-30 09:33:51infoIKE[Policy: ipv4(udp:1701,46.170.5.146)-ipv4(udp:1701,192.168.55.100)]46.170.5.146:450087.204.80.201:4500IKE_LOG492020-04-30 09:33:51infoIKE[Responder:46.170.5.146][Initiator:87.204.80.201]46.170.5.146:450087.204.80.201:4500IKE_LOG502020-04-30 09:33:51infoIKERecv:[HASH]87.204.80.201:450046.170.5.146:4500IKE_LOG512020-04-30 09:33:51infoIKESend:[HASH][SA][NONCE][ID][ID][PRV][PRV]46.170.5.146:450087.204.80.201:4500IKE_LOG522020-04-30 09:33:51infoIKERecv TSi: ipv4(udp:1701,192.168.55.100), TSr: ipv4(udp:1701,46.170.5.146).87.204.80.201:450046.170.5.146:4500IKE_LOG532020-04-30 09:33:51infoIKERecv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 128, HMAC-SHA1-96, No ESN, 3DES, DES; ).87.204.80.201:450046.170.5.146:4500IKE_LOG542020-04-30 09:33:51infoIKERecv:[HASH][SA][NONCE][ID][ID][PRV][PRV]87.204.80.201:450046.170.5.146:4500IKE_LOG552020-04-30 09:33:51infoIKEPhase 1 IKE SA process done46.170.5.146:450087.204.80.201:4500IKE_LOG562020-04-30 09:33:51infoIKESend:[ID][HASH]46.170.5.146:450087.204.80.201:4500IKE_LOG572020-04-30 09:33:51infoIKEThe cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b [count=7]46.170.5.146:450087.204.80.201:4500IKE_LOG582020-04-30 09:33:51infoIKERecv:[ID][HASH]87.204.80.201:450046.170.5.146:4500IKE_LOG592020-04-30 09:33:51infoIKEThe cookie pair is : 0x5d705e072f143e8b / 0x9aa9c3c4e02ffe38 [count=3]87.204.80.201:450046.170.5.146:4500IKE_LOG612020-04-30 09:33:50infoIKESend:[KE][NONCE][PRV][PRV]46.170.5.146:50087.204.80.201:500IKE_LOG632020-04-30 09:33:50infoIKERecv:[KE][NONCE][PRV][PRV]87.204.80.201:50046.170.5.146:500IKE_LOG642020-04-30 09:33:50infoIKESend:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]46.170.5.146:50087.204.80.201:500IKE_LOG652020-04-30 09:33:50infoIKEThe cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b [count=2]46.170.5.146:50087.204.80.201:500IKE_LOG662020-04-30 09:33:50infoIKERecv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ).87.204.80.201:50046.170.5.146:500IKE_LOG672020-04-30 09:33:50infoIKERecv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]87.204.80.201:50046.170.5.146:500IKE_LOG682020-04-30 09:33:50infoIKEThe cookie pair is : 0x5d705e072f143e8b / 0x9aa9c3c4e02ffe38 [count=2]87.204.80.201:50046.170.5.146:500IKE_LOG692020-04-30 09:33:50infoIKERecv Main Mode request from [87.204.80.201]87.204.80.201:50046.170.5.146:500IKE_LOG702020-04-30 09:33:50infoIKEThe cookie pair is : 0x9aa9c3c4e02ffe38 / 0x000000000000000087.204.80.201:50046.170.5.146:500IKE_LOGpage z 1 item shows 1 - 30 z 30
And when is 2 (two) or less SSL client up, everything working perfect.
0 -
Hi @CMruk
Is there any router in front of ZyWALL 310?
After check the log, it seems like ZyWALL 310 is behind a router.
If ZyWALL 310 is behind NAT, The Local Policy setting here need to setup as the WAN IP of the router.
Go to Configuration > VPN > IPSec VPN > VPN connection
Double click the “L2TP_VPN” to edit the rule.
Here is related discussion of behind nat settings
https://businessforum.zyxel.com/discussion/878/usg-110-l2tp-vpn-behind-companion-nat-firewall
0 -
Hello, i already wrote it before, both device is connected directly to ISP device in transparent bridge mode, there is not any NAT in both end's.
0 -
Hi @CMruk
Can we have the remote access to the device and build up the tunnel to the device to check why this symptom happens on your device since we can’t see the same symptom in our lab?
0 -
Hello @Zyxel_Jerry
yes i can provide remote access, please send me PM with details and i will prepare remote access
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight