Multiple S2S VPNs with AWS can't established after internet break

Wojtas
Wojtas Posts: 49  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Hi, 

I have a strange issue with USG110 and USG210. I have two locations, one with 210 and one with 110, each of them has 6 S2S VPN connections to AWS (IKE2, AES256 and DH18 in both phases), everything works fine till we get some troubles with internet connection. If internet connection will break for a while the tunnels can't establish again. I have to login to USG, deactivate all VTI, and activate them one by one. (SA Lifetimes are default, and the same for all tunnels).

What can I do to solve the issue? Why can't tunnels be established by itself?
«134

All Replies

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2021
    What the logs on your USGs are saying?
    Did you enabled DPD detection on both sides (AWS and USGs)?
    Is any of your tunnel checking connectivity?
    Which side is "calling" and which one is "waiting"?
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    edited April 2021
    I don't see a DPD option for IKEv2 in Zyxel (only for IKEv1).
    All tunnels have connectivity checks enabled.
    After internet break AWS is initiator, in logs I found:

    &nbsp;Recv Main Mode request from [<AWS IP>]
    Just now I disabled IKEv1 and all weaker encryption algorithms to reduce negotiation time in AWS.

    Do you think that it could been the reason (AWS sent a Main Mode request (IKEv1), but USG had configured IKEv2 only)?
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment

    Hi @Wojtas,


    After configuring IKEv2 for AWS VPN, does that symptom still exist?

    Looks like after connection break AWS VPN wants to initiate using IKEv1 mode.

     

    Best regards.


  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    It hard to say, I am waiting for next internet break down :) but for now it looking promissly
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    The problem occurs again just now. I found in logs that DPD is closing the connection even when tunnels are established for a while. 

    I need to use IKEv2 for S2S vpn but in USG devices there are no possibilities to configure DPD behavior and timeouts. I found that the default timeout for USG is 15 seconds and default behavior is clear (shuts down the IKE SA).

    But I can configure DPD in AWS, and options are:

    Dead peer detection (DPD) timeout: The duration, in seconds, after which DPD timeout occurs. You can specify 30 or higher. Default: 30

    DPD timeout action:

    <u>Clear</u>: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)
    <u>None</u>: Take no action when DPD timeout occurs
    <u>Restart</u>: Restart the IKE session when DPD timeout occurs

    Default: <u>Clear</u><br>

    Startup action: The action to take when establishing the tunnel for a VPN connection. You can specify the following:
    <br><u>Start</u>: AWS initiates the IKE negotiation to bring the tunnel up. Only supported if your customer gateway is configured with an IP address.
    <u>Add</u>: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.

    Default: <u>Add</u>

    <u><br></u>

    Maybe I should chnage DPD Timeout action to restart, what do you thhing? I don't understend why USG get PEER is dead?!?




  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    I'd suggest you to use restart, if you're willing to try.
  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    I already changed it, and now I am waiting for maintenance windows to simulate internet break.
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Hi @Wojtas,

    In our labs we tested that behavior, it automatically connects.

    Can you make sure that you have checked Nailed-Up and Enable Connectivity Check checkboxes for your VPN connection?
    Configuration > VPN > IPSec VPN > VPN Connection



  • Wojtas
    Wojtas Posts: 49  Freshman Member
    First Anniversary Friend Collector First Comment
    Hi @Zyxel_Can

    Really sorry for the late answer. I checked and I had connectivity echeck enabled, but the Nailed-Up option was disabled. I enabled it just now..
  • Zyxel_Can
    Zyxel_Can Posts: 342  Zyxel Employee
    Friend Collector First Answer First Comment
    Hi @Wojtas,

    Does it work now?
    Can tunnels establish again after enabling Nailed-Up?

Security Highlight