VPN IPsec site to site and L2TP stop working when few SLL VPN sessions is up

2»

All Replies

  • CMruk
    CMruk Posts: 14  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited May 2020
    Hi,
    configuration is updated like you advice



    but still same problem, L2TP/IPsec client can't connect, when is more then 2 "two" sesion's  SSL VPN client



    for me, it's seem like authentication process not working properly in that condition, in log i see "tunnel is build successful " , but nothing about permission granted or refused for that L2TP user, and tunnel is destroyed, log below,

    17
    2020-04-30 09:34:27
    info
    IKE
    Tunnel [L2TP_VPN:L2TP_VPN:0x9cbfcf34] is disconnected
    46.170.5.146:500
    87.204.80.201:4500
    IKE_LOG
    18
    2020-04-30 09:34:27
    info
    IKE
    The cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b
    46.170.5.146:500
    87.204.80.201:4500
    IKE_LOG
    19
    2020-04-30 09:34:26
    info
    IKE
    ISAKMP SA [L2TP_VPN] is disconnected
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    20
    2020-04-30 09:34:26
    info
    IKE
    The cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    21
    2020-04-30 09:34:26
    info
    IKE
    Received delete notification
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    22
    2020-04-30 09:34:26
    info
    IKE
    Recv:[HASH][DEL] [count=2]
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    23
    2020-04-30 09:34:26
    info
    IKE
    The cookie pair is : 0x5d705e072f143e8b / 0x9aa9c3c4e02ffe38 [count=3]
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    46
    2020-04-30 09:33:51
    info
    IKE
    Dynamic Tunnel [L2TP_VPN:L2TP_VPN:0x9cbfcf34] built successfully
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    47
    2020-04-30 09:33:51
    info
    IKE
    [ESP 3des-cbc|hmac-sha1-96][SPI 0x4724e8e5|0x9cbfcf34][Lifetime 3620]
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    48
    2020-04-30 09:33:51
    info
    IKE
    [Policy: ipv4(udp:1701,46.170.5.146)-ipv4(udp:1701,192.168.55.100)]
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    49
    2020-04-30 09:33:51
    info
    IKE
    [Responder:46.170.5.146][Initiator:87.204.80.201]
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    50
    2020-04-30 09:33:51
    info
    IKE
    Recv:[HASH]
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    51
    2020-04-30 09:33:51
    info
    IKE
    Send:[HASH][SA][NONCE][ID][ID][PRV][PRV]
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    52
    2020-04-30 09:33:51
    info
    IKE
    Recv TSi: ipv4(udp:1701,192.168.55.100), TSr: ipv4(udp:1701,46.170.5.146).
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    53
    2020-04-30 09:33:51
    info
    IKE
    Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 128, HMAC-SHA1-96, No ESN, 3DES, DES; ).
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    54
    2020-04-30 09:33:51
    info
    IKE
    Recv:[HASH][SA][NONCE][ID][ID][PRV][PRV]
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    55
    2020-04-30 09:33:51
    info
    IKE
    Phase 1 IKE SA process done
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    56
    2020-04-30 09:33:51
    info
    IKE
    Send:[ID][HASH]
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    57
    2020-04-30 09:33:51
    info
    IKE
    The cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b [count=7]
    46.170.5.146:4500
    87.204.80.201:4500
    IKE_LOG
    58
    2020-04-30 09:33:51
    info
    IKE
    Recv:[ID][HASH]
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    59
    2020-04-30 09:33:51
    info
    IKE
    The cookie pair is : 0x5d705e072f143e8b / 0x9aa9c3c4e02ffe38 [count=3]
    87.204.80.201:4500
    46.170.5.146:4500
    IKE_LOG
    61
    2020-04-30 09:33:50
    info
    IKE
    Send:[KE][NONCE][PRV][PRV]
    46.170.5.146:500
    87.204.80.201:500
    IKE_LOG
    63
    2020-04-30 09:33:50
    info
    IKE
    Recv:[KE][NONCE][PRV][PRV]
    87.204.80.201:500
    46.170.5.146:500
    IKE_LOG
    64
    2020-04-30 09:33:50
    info
    IKE
    Send:[SA][VID][VID][VID][VID][VID][VID][VID][VID][VID]
    46.170.5.146:500
    87.204.80.201:500
    IKE_LOG
    65
    2020-04-30 09:33:50
    info
    IKE
    The cookie pair is : 0x9aa9c3c4e02ffe38 / 0x5d705e072f143e8b [count=2]
    46.170.5.146:500
    87.204.80.201:500
    IKE_LOG
    66
    2020-04-30 09:33:50
    info
    IKE
    Recv IKE sa: SA([0] protocol = IKE (1), AES CBC key len = 256, HMAC-SHA1 PRF, HMAC-SHA1-96, 384 bit ECP, AES CBC key len = 128, 256 bit ECP, 2048 bit MODP, 3DES, 1024 bit MODP; ).
    87.204.80.201:500
    46.170.5.146:500
    IKE_LOG
    67
    2020-04-30 09:33:50
    info
    IKE
    Recv:[SA][VID][VID][VID][VID][VID][VID][VID][VID]
    87.204.80.201:500
    46.170.5.146:500
    IKE_LOG
    68
    2020-04-30 09:33:50
    info
    IKE
    The cookie pair is : 0x5d705e072f143e8b / 0x9aa9c3c4e02ffe38 [count=2]
    87.204.80.201:500
    46.170.5.146:500
    IKE_LOG
    69
    2020-04-30 09:33:50
    info
    IKE
    Recv Main Mode request from [87.204.80.201]
    87.204.80.201:500
    46.170.5.146:500
    IKE_LOG
    70
    2020-04-30 09:33:50
    info
    IKE
    The cookie pair is : 0x9aa9c3c4e02ffe38 / 0x0000000000000000
    87.204.80.201:500
    46.170.5.146:500
    IKE_LOG
    page z 1   item shows 1 - 30 z 30


    And when is 2 (two) or less SSL client up, everything working perfect.



  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @CMruk

    Is there any router in front of ZyWALL 310?

    After check the log, it seems like ZyWALL 310 is behind a router.

    If ZyWALL 310 is behind NAT, The Local Policy setting here need to setup as the WAN IP of the router.  

    Go to Configuration > VPN > IPSec VPN > VPN connection

    Double click the “L2TP_VPN” to edit the rule.

     


     

    Here is related discussion of behind nat settings

    https://businessforum.zyxel.com/discussion/878/usg-110-l2tp-vpn-behind-companion-nat-firewall


  • CMruk
    CMruk Posts: 14  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hello, i already wrote it before, both device is connected directly to ISP device in transparent bridge mode, there is not any NAT in both end's.

  • Zyxel_Jerry
    Zyxel_Jerry Posts: 1,298  Zyxel Employee
    Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments

    Hi @CMruk


    Can we have the remote access to the device and build up the tunnel to the device to check why this symptom happens on your device since we can’t see the same symptom in our lab?


  • CMruk
    CMruk Posts: 14  Freshman Member
    First Comment Friend Collector Third Anniversary
    Hello @Zyxel_Jerry
    yes i can provide remote access, please send me PM with details and i will prepare remote access 

Security Highlight