Why does it take more than 20 seconds to connect to IKEv2 VPN?
I have a zywall 310.
I have two VPNs (L2TP and IKEv2) configured with active directory authentication.
The client is Windows 10. I will connect to L2TP in 7 seconds, but it will take more than 20 seconds to connect to IKEv2. Where can there be a mistake?
Can it have anything to do with the following "Sending auth packet" message in the debug log?
2020-10-13 10:48:20 debug Authentication Server Get user login info. server name: ZyXELad, MAC:00:00:00:0E:00:00
2020-10-13 10:48:20 debug IKE dequeue request: 0x12c8dbcc
2020-10-13 10:48:17 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=9, #retransmits=2
2020-10-13 10:48:12 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=5, #retransmits=1
2020-10-13 10:48:11 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=1, #retransmits=0
2020-10-13 10:48:11 debug IKE Initiator SPI ba83b919 cec5e088 Responder SPI c97a420b b32588ee
2020-10-13 10:48:11 debug IKE IKE SA destroyed:
2020-10-13 10:48:11 debug IKE dequeue request: 0x12c9dfdc
2020-10-13 10:48:09 debug IKE Sending auth packet: req: 0x12c9dfdc, server=127.0.0.1:1812, code: 1, id=219, timeout=5, #retransmits=1
2020-10-13 10:48:08 debug IKE Sending auth packet: req: 0x12c9dfdc, server=127.0.0.1:1812, code: 1, id=219, timeout=1, #retransmits=0
2020-10-13 10:48:08 debug IKE dequeue request: 0x12c8dbcc
2020-10-13 10:48:08 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=9, #retransmits=2
2020-10-13 10:48:03 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=5, #retransmits=1
2020-10-13 10:48:02 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=1, #retransmits=0
2020-10-13 10:48:02 debug IKE dequeue request: 0x12ca61f4
2020-10-13 10:48:02 debug IKE Sending auth packet: req: 0x12ca61f4, server=127.0.0.1:1812, code: 1, id=33, timeout=1, #retransmits=0
I have two VPNs (L2TP and IKEv2) configured with active directory authentication.
The client is Windows 10. I will connect to L2TP in 7 seconds, but it will take more than 20 seconds to connect to IKEv2. Where can there be a mistake?
Can it have anything to do with the following "Sending auth packet" message in the debug log?
2020-10-13 10:48:20 debug Authentication Server Get user login info. server name: ZyXELad, MAC:00:00:00:0E:00:00
2020-10-13 10:48:20 debug IKE dequeue request: 0x12c8dbcc
2020-10-13 10:48:17 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=9, #retransmits=2
2020-10-13 10:48:12 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=5, #retransmits=1
2020-10-13 10:48:11 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=1, #retransmits=0
2020-10-13 10:48:11 debug IKE Initiator SPI ba83b919 cec5e088 Responder SPI c97a420b b32588ee
2020-10-13 10:48:11 debug IKE IKE SA destroyed:
2020-10-13 10:48:11 debug IKE dequeue request: 0x12c9dfdc
2020-10-13 10:48:09 debug IKE Sending auth packet: req: 0x12c9dfdc, server=127.0.0.1:1812, code: 1, id=219, timeout=5, #retransmits=1
2020-10-13 10:48:08 debug IKE Sending auth packet: req: 0x12c9dfdc, server=127.0.0.1:1812, code: 1, id=219, timeout=1, #retransmits=0
2020-10-13 10:48:08 debug IKE dequeue request: 0x12c8dbcc
2020-10-13 10:48:08 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=9, #retransmits=2
2020-10-13 10:48:03 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=5, #retransmits=1
2020-10-13 10:48:02 debug IKE Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=1, #retransmits=0
2020-10-13 10:48:02 debug IKE dequeue request: 0x12ca61f4
2020-10-13 10:48:02 debug IKE Sending auth packet: req: 0x12ca61f4, server=127.0.0.1:1812, code: 1, id=33, timeout=1, #retransmits=0
0
All Replies
-
Hi @Kv3,Go to CONFIGURATION > System > DNS > Domain Zone Forwarder.Add a DNS domain zone forwarder to speed up the AD authentication.Enter your domain zone. In this example, the domain zone is usg.com and the IP address of AD server is 192.168.1.34.If the AD server is placed on the Internet, just enter the public IP address of the AD server.0
-
Hi Emily
Thanks for the reply, but DNS server has been set in the Domain zone forwarder from the beginning.
According to the captured packets, zywall communicates with AD almost from the beginning of the connection. It seems to me that zywall has asked the AD server several times in a row for the same things, always after a "dequeue request".
What does "Sending auth packet: req: 0x12c9dfdc, server = 127.0.0.1: 1812, code: 1, id = 219, timeout = 5, # retransmits = 1" mean?
Port 1812 is a radius server, but I do verify against AD. I do not have a radius server set up.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 146 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.6K Security
- 243 USG FLEX H Series
- 268 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 247 Service & License
- 386 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 72 Security Highlight