Why does it take more than 20 seconds to connect to IKEv2 VPN?

Options
Kv3
Kv3 Posts: 10  Freshman Member
First Anniversary First Comment
edited April 2021 in Security
I have a zywall 310.
I have two VPNs (
L2TP and IKEv2) configured with active directory authentication.
The client is Windows 10. I will connect to L2TP in 7 seconds, but it will take more than 20 seconds to connect to IKEv2. Where can there be a mistake?

Can it have anything to do with the following "Sending auth packet" message in the debug log?



2020-10-13 10:48:20    debug    Authentication Server    Get user login info. server name: ZyXELad, MAC:00:00:00:0E:00:00
2020-10-13 10:48:20    debug    IKE    dequeue request: 0x12c8dbcc
2020-10-13 10:48:17    debug    IKE    Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=9, #retransmits=2
2020-10-13 10:48:12    debug    IKE    Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=5, #retransmits=1
2020-10-13 10:48:11    debug    IKE    Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=250, timeout=1, #retransmits=0
2020-10-13 10:48:11    debug    IKE    Initiator SPI ba83b919 cec5e088 Responder SPI c97a420b b32588ee
2020-10-13 10:48:11    debug    IKE    IKE SA destroyed:
2020-10-13 10:48:11    debug    IKE    dequeue request: 0x12c9dfdc
2020-10-13 10:48:09    debug    IKE    Sending auth packet: req: 0x12c9dfdc, server=127.0.0.1:1812, code: 1, id=219, timeout=5, #retransmits=1
2020-10-13 10:48:08    debug    IKE    Sending auth packet: req: 0x12c9dfdc, server=127.0.0.1:1812, code: 1, id=219, timeout=1, #retransmits=0
2020-10-13 10:48:08    debug    IKE    dequeue request: 0x12c8dbcc
2020-10-13 10:48:08    debug    IKE    Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=9, #retransmits=2
2020-10-13 10:48:03    debug    IKE    Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=5, #retransmits=1
2020-10-13 10:48:02    debug    IKE    Sending auth packet: req: 0x12c8dbcc, server=127.0.0.1:1812, code: 1, id=222, timeout=1, #retransmits=0
2020-10-13 10:48:02    debug    IKE    dequeue request: 0x12ca61f4
2020-10-13 10:48:02    debug    IKE    Sending auth packet: req: 0x12ca61f4, server=127.0.0.1:1812, code: 1, id=33, timeout=1, #retransmits=0








All Replies

  • Zyxel_Emily
    Zyxel_Emily Posts: 1,315  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Kv3,
    Go to CONFIGURATION > System > DNS > Domain Zone Forwarder.
    Add a DNS domain zone forwarder to speed up the AD authentication.
    Enter your domain zone. In this example, the domain zone is usg.com and the IP address of AD server is 192.168.1.34.
    If the AD server is placed on the Internet, just enter the public IP address of the AD server.

  • Kv3
    Kv3 Posts: 10  Freshman Member
    First Anniversary First Comment
    Options
    Hi Emily
    Thanks for the reply, but DNS server has been set in the Domain zone forwarder from the beginning.
    According to the captured packets, zywall communicates with AD almost from the beginning of the connection.
    It seems to me that zywall has asked the AD server several times in a row for the same things, always after a "dequeue request".

    What does "Sending auth packet: req: 0x12c9dfdc, server = 127.0.0.1: 1812, code: 1, id = 219, timeout = 5, # retransmits = 1" mean?

    Port 1812 is a radius server, but I do verify against AD. I do not have a radius server set up.



Security Highlight