[NEBULA] Non-Nebula Peer and NSG200 IPSec disconnects constantly
Freshman Member
Hi,
My typology:
NSG200 as a VPN HUB, WAN IP 87.204.6.145
Non-Nebula Peer - Cyberoam CR10iNG, WAN IP 89.174.29.30
On the Cyberoam side I have the same settings:
The problem is that the IPSec tunnel establishes and disconnects constantly.
Based on logs it looks like NSG200 requests to delete Phase 2 after it is established successfully.
"packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 733"
I was trying many different settings combinations with no positive results.
NSG200 log:
2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH]
2020-03-31 22:29:34vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]
2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]
2020-03-31 22:29:34vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]
2020-03-31 22:29:34vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]
2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]
2020-03-31 22:29:34vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x08862f3a] is disconnected
2020-03-31 22:29:34vpn87.204.6.14589.174.29.30The cookie pair is : 0x3f398bf0ca51ef3a / 0x77760d390a63455f [count=10]
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x45112ed4] built successfully
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[ESP aes-cbc|hmac-sha256-128][SPI 0x8c3556db|0x45112ed4][PFS:DH2][Lifetime 79200]
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[Policy: ipv4(200.126.100.0-200.126.100.255)-ipv4(192.168.105.0-192.168.105.255)]
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30[Initiator:87.204.6.145][Responder:89.174.29.30]
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH]
2020-03-31 22:30:04vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]
2020-03-31 22:30:04vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]
2020-03-31 22:30:04vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x5e3e39eb] is disconnected
2020-03-31 22:30:04vpn87.204.6.14589.174.29.30The cookie pair is : 0x3f398bf0ca51ef3a / 0x77760d390a63455f [count=10]
2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Tunnel [POZ-Lawica:POZ-Lawica:0x6e03fedb] built successfully
2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[ESP aes-cbc|hmac-sha256-128][SPI 0xe69fafbe|0x6e03fedb][PFS:DH2][Lifetime 73440]
2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[Policy: ipv4(200.126.100.0-200.126.100.255)-ipv4(192.168.105.0-192.168.105.255)]
2020-03-31 22:30:34vpn87.204.6.14589.174.29.30[Initiator:87.204.6.145][Responder:89.174.29.30]
2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH]
2020-03-31 22:30:34vpn89.174.29.3087.204.6.145Recv:[HASH][SA][NONCE][KE][ID][ID]
2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH][SA][NONCE][KE][ID][ID]
2020-03-31 22:30:34vpn89.174.29.3087.204.6.145Recv:[HASH][DEL]
2020-03-31 22:30:34vpn89.174.29.3087.204.6.145The cookie pair is : 0x77760d390a63455f / 0x3f398bf0ca51ef3a [count=2]
2020-03-31 22:30:34vpn87.204.6.14589.174.29.30Send:[HASH][DEL] [count=3]
Cyberoam log:
2020-03-31 22:31:03
IPSec
TERMINATED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.
17802
2020-03-31 22:31:03
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 737
17879
2020-03-31 22:30:34
IPSec
ESTABLISHED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.
17801
2020-03-31 22:30:34
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 001fc8b2
17867
2020-03-31 22:30:33
IPSec
TERMINATED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.
17802
2020-03-31 22:30:33
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 736
17879
2020-03-31 22:30:04
IPSec
ESTABLISHED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.
17801
2020-03-31 22:30:04
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 9aa54957
17867
2020-03-31 22:30:03
IPSec
TERMINATED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.
17802
2020-03-31 22:30:03
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 735
17879
2020-03-31 22:29:34
IPSec
ESTABLISHED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.
17801
2020-03-31 22:29:34
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 532a03d6
17867
2020-03-31 22:29:33
IPSec
TERMINATED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.
17802
2020-03-31 22:29:33
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 734
17879
2020-03-31 22:29:04
IPSec
ESTABLISHED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.
17801
2020-03-31 22:29:04
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 711b1f87
17867
2020-03-31 22:29:03
IPSec
TERMINATED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 terminated.
17802
2020-03-31 22:29:03
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 SA-MGT: Peer requested to delete Phase-2 SA. Deleting IPSEC state 733
17879
2020-03-31 22:28:34
IPSec
ESTABLISHED
-
IPSec Connection Control_Room-1 between 192.168.105.0/24 and 200.126.100.0/24 established.
17801
2020-03-31 22:28:34
IPSec
SUCCESSFUL
-
packet from 87.204.6.145:500: Control_Room-1 EST-P2: Responding to a Phase-2 establishment request with message id 0666b0d4
17867
Comments
-
Hi @Lukasz,
Thanks for the screenshots and information.
May you provide the organization/site name and activate the Zyxel Support (located at HELP - Support request), so I could have the privilege to check the current status.
Thanks,
Jonas
Jonas,0 -
Hi Jonas,
APCOA_PL/WAW_CONTROL_ROOM
The Zyxel Support is active now.
Lukasz
0 -
Hi @Lukasz ,
Appreciate for the privilege, as I've checked the VPN for Non-Nebula Peer - Cyberoam CR10iNG, WAN IP 89.174.29.30 was disabled, is it convenient to enable the VPN connection, so I could check more detail information?
Jonas,
Jonas,0 -
Hi Jonas,
Both sites are now enabled.
Lukasz
0 -
Hi @Lukasz ,
Thanks for the support.
Firstly, I would like to inform that NSG has a connectivity-check mechanism every 30 seconds by default which use ping to verify if the peer is reachable.
Based on the logs, I've found out that Site: POZ-Lawica always disconnecting every 30 seconds, and then I've made a test by deactivating our connectivity-check via CLI (SSH) and the VPN connection to POZ-Lawica becomes stable.
Please help to verify if the allowed ping is activated on site POZ-Lawica. If not, please activate allow ping and verify the VPN connection.
Jonas~
Jonas,0 -
Jonas,
There is no icmp blockade on site POZ-Lawica, either on LAN and WAN interface.
Also in case the tunnel is established for 30 sec I should be able to ping from POZ-Lawica to NSG within this time window, shouldn't I ?
Lukasz
0 -
Hi @Lukasz ,
Thanks for the information, it's more clear now.
Also in case the tunnel is established for 30 sec I should be able to ping from POZ-Lawica to NSG within this time window, shouldn't I ?
In general, yes, but based on the current status, the VPN connection can be established but you won't be able to ping, because I assume that the problem is related to routing.
Please help to verify if there is a policy route configured on non-nebula device POZ-Lawica, destination 200.126.100.1 to tunnel. Because 200.126.100.1 (NSG lan2) is doing the connectivity check, so it must create a policy route to established connection successfully.
Note: NSG doesn't need to configure policy route, because NSG itself will automatically create policy route to tunnel.
Jonas
Jonas,0 -
Jonas,It was verified, there is no ICMP block, the policy route is configured. Unfortunatelly the tunnel was not stable. But we just close the site POZ-Lawica for now.But I have the same issue with a next nonNebula peer (ELEKTR_POWISLE). Exacty the same symptoms.I wondering if I can switch off the connectivity-mechanizm constantly for the tunnels with the same issue?
0 -
Hi @Lukasz,
Thanks for the update about the VPN status from site POZ-Lawica.
For the site ELEKTR_POWISLE, please help to access to the NSG via SSH and input the command <show sa monitor> as figure below.
You may observe the UpTime, if the connection didn't exceed more than 30 seconds, it means that the non-nebula peer is not reachable, you may verify if there is ICMP block and policy route rule configured in the non-nebula peer.
Reminder: Switching off the connectivity-check mechanism, doesn't mean the VPN connection could be established.
Jonas,Jonas,0
Zyxel Employee
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 75 Security Highlight
