[NEBULA] Non-Nebula Peer and NSG200 IPSec disconnects constantly

Lukasz
Lukasz Posts: 10
First Anniversary First Comment
edited April 2021 in Nebula

Hi,

My typology:

NSG200 as a VPN HUB, WAN IP 87.204.6.145


Non-Nebula Peer - Cyberoam CR10iNG, WAN IP 89.174.29.30

On the Cyberoam side I have the same settings:

The problem is that the IPSec tunnel establishes and disconnects constantly.

Based on logs it looks like NSG200 requests to delete Phase 2 after it is established successfully.

"packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 733"

I was trying many different settings combinations with no positive results.


NSG200 log:

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH]

2020-03-31 22:29:34vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:29:34vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]

2020-03-31 22:29:34vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x08862f3a] is disconnected

2020-03-31 22:29:34vpn87.204.6.14589.174.29.30The cookie pair is : 0x3f398bf0ca51ef3a / 0x77760d390a63455f [count=10]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x45112ed4] built successfully

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[ESP aes-cbc|hmac-sha256-128][SPI 0x8c3556db|0x45112ed4][PFS:DH2][Lifetime 79200]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[Policy: ipv4(200.126.100.0-200.126.100.255)-ipv4(192.168.105.0-192.168.105.255)]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[Initiator:87.204.6.145][Responder:89.174.29.30]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH]

2020-03-31 22:30:04vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:04vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]

2020-03-31 22:30:04vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x5e3e39eb] is disconnected

2020-03-31 22:30:04vpn87.204.6.14589.174.29.30The cookie pair is : 0x3f398bf0ca51ef3a / 0x77760d390a63455f [count=10]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x6e03fedb] built successfully

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[ESP aes-cbc|hmac-sha256-128][SPI 0xe69fafbe|0x6e03fedb][PFS:DH2][Lifetime 73440]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[Policy: ipv4(200.126.100.0-200.126.100.255)-ipv4(192.168.105.0-192.168.105.255)]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[Initiator:87.204.6.145][Responder:89.174.29.30]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH]

2020-03-31 22:30:34vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]

2020-03-31 22:30:34vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]

2020-03-31 22:30:34vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]

2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]


Cyberoam log:

2020-03-31 22:31:03

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:31:03

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 737

17879

2020-03-31 22:30:34

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:30:34

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 001fc8b2

17867

2020-03-31 22:30:33

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:30:33

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 736

17879

2020-03-31 22:30:04

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:30:04

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 9aa54957

17867

2020-03-31 22:30:03

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:30:03

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 735

17879

2020-03-31 22:29:34

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:29:34

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 532a03d6

17867

2020-03-31 22:29:33

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:29:33

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 734

17879

2020-03-31 22:29:04

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:29:04

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 711b1f87

17867

2020-03-31 22:29:03

IPSec

TERMINATED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.

17802

2020-03-31 22:29:03

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 733

17879

2020-03-31 22:28:34

IPSec

ESTABLISHED

-

IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.

17801

2020-03-31 22:28:34

IPSec

SUCCESSFUL

-

packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 0666b0d4

17867

Comments

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Lukasz,

    Thanks for the screenshots and information.

    May you provide the organization/site name and activate the Zyxel Support (located at HELP - Support request), so I could have the privilege to check the current status.

    Thanks,

    Jonas

    Jonas,
  • Lukasz
    Lukasz Posts: 10
    First Anniversary First Comment

    Hi Jonas,


    APCOA_PL/WAW_CONTROL_ROOM

    The Zyxel Support is active now.


    Lukasz

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Lukasz ,

    Appreciate for the privilege, as I've checked the VPN for Non-Nebula Peer - Cyberoam CR10iNG, WAN IP 89.174.29.30 was disabled, is it convenient to enable the VPN connection, so I could check more detail information?

    Jonas,

    Jonas,
  • Lukasz
    Lukasz Posts: 10
    First Anniversary First Comment

    Hi Jonas,


    Both sites are now enabled.

    Lukasz

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2020

    Hi @Lukasz ,

    Thanks for the support.

    Firstly, I would like to inform that NSG has a connectivity-check mechanism every 30 seconds by default which use ping to verify if the peer is reachable.

    Based on the logs, I've found out that Site: POZ-Lawica always disconnecting every 30 seconds, and then I've made a test by deactivating our connectivity-check via CLI (SSH) and the VPN connection to POZ-Lawica becomes stable.

    Please help to verify if the allowed ping is activated on site POZ-Lawica. If not, please activate allow ping and verify the VPN connection.


    Jonas~

    Jonas,
  • Lukasz
    Lukasz Posts: 10
    First Anniversary First Comment

    Jonas,

    There is no icmp blockade on site POZ-Lawica, either on LAN and WAN interface.

    Also in case the tunnel is established for 30 sec I should be able to ping from POZ-Lawica to NSG within this time window, shouldn't I ?

    Lukasz

  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2020

    Hi @Lukasz ,

    Thanks for the information, it's more clear now.

    Also in case the tunnel is established for 30 sec I should be able to ping from POZ-Lawica to NSG within this time window, shouldn't I ?

    In general, yes, but based on the current status, the VPN connection can be established but you won't be able to ping, because I assume that the problem is related to routing.

    Please help to verify if there is a policy route configured on non-nebula device POZ-Lawica, destination 200.126.100.1 to tunnel. Because 200.126.100.1 (NSG lan2) is doing the connectivity check, so it must create a policy route to established connection successfully.

    Note: NSG doesn't need to configure policy route, because NSG itself will automatically create policy route to tunnel.


    Jonas

    Jonas,
  • Lukasz
    Lukasz Posts: 10
    First Anniversary First Comment
    Jonas,

    It was verified, there is no ICMP block, the policy route is configured. Unfortunatelly the tunnel was not stable. But we just close the site POZ-Lawica for now.

    But I have the same issue with a next nonNebula peer (ELEKTR_POWISLE). Exacty the same symptoms.

    I wondering if I can switch off the connectivity-mechanizm constantly for the tunnels with the same issue?


  • Zyxel_Jonas
    Zyxel_Jonas Posts: 313  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @Lukasz,

    Thanks for the update about the VPN status from site POZ-Lawica.
    For the site ELEKTR_POWISLE, please help to access to the NSG via SSH and input the command <show sa monitor> as figure below.
    You may observe the UpTime, if the connection didn't exceed more than 30 seconds, it means that the non-nebula peer is not reachable, you may verify if there is ICMP block and policy route rule configured in the non-nebula peer.
    Reminder: Switching off the connectivity-check mechanism, doesn't mean the VPN connection could be established.



    Jonas,
    Jonas,

Nebula Tips & Tricks