Trouble with failover ipsec vpn by reconnect to second gw
We have issue on some (not all) sites between ZW USG 1100 & ZW USG 1000.
Failover ipsec vpn by 2 diff providers.
After main providers fall, vpn tunnel reconnect by 2 provider, vpn tunnel estabilished, but site on ZW 1000 isn't available.
VPN reconnect every 6-10 seconds.
In debug log on ZW 1100 have some strange lines
ESP packet SPI: xxxxxxxxxx: SEQ: xx, execute rule: ret_rl:10, ret_re: 1
SPI: xxxxxxxxxx (xxxxxxxxxx) SEQ: 0x24 (xx) No rule found, Dropping ESP packet. ret=1, step=11
Dropping packet. ret=1, step=11
In source we have ip of 2nd provider on ZW 1000, but in dest ip 1st provider on ZW 1100.
In ZW 1000 debug is clear.
We have around 20 same instances, but problem only on 2 more than a year of use.
The settings are identically, differents only vpn lan, providers ip & ipsec authentication.
Try search problem by providers side, but they give l2 vlan without any modification in traffic.
What problem can be?
All Replies
-
Hi @alexey,
Do both USG1100 and ZyWALL USG 1000 have two wan connections in the scenario of VPN failover?
Can you share the configuration files of these two sites with us?
I'd like to check the configurations and run some tests.
0 -
Hi,
I have a similar problem, IPSEC vpn dropping packet but no failover. What did you do in your case ?
IPSec Dropping packet. ret=1, step=11 IPSecSPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping TCP packet. ret=1, step=11 IPSec Dropping packet. ret=1, step=11 IPSec SPI: 0x0 (0) SEQ: 0x0 (0) No rule found, Dropping UDP packet. ret=1, step=11
Thanks,
Davy
0 -
Hi @IT_Field_Support .
Its old toppic for our problem. The new is
If you have 2 providers, and problems is same our, Zyxell support simply created 1 security rule to block ESP service between both vpn lans.
For some understanding reason, one vpn try to routes via second vpn provider. But blocking this on policy control resolved our problem.
I hope this help you.
0 -
Thanks Alex, but I think my problem is different, I just created a new post in the forum.
All the best,
Davy
0
Categories
- All Categories
- 347 Beta Program
- 2.1K Nebula
- 115 Nebula Ideas
- 77 Nebula Status and Incidents
- 5K Security
- 44 USG FLEX H Series
- 246 Security Ideas
- 1.2K Switch
- 64 Switch Ideas
- 900 WirelessLAN
- 33 WLAN Ideas
- 5.8K Consumer Product
- 204 Service & License
- 326 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.8K FAQ
- 831 Nebula FAQ
- 401 Security FAQ
- 219 Switch FAQ
- 190 WirelessLAN FAQ
- 45 Consumer Product FAQ
- 136 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 71 About Community
- 61 Security Highlight