Nebula tunnel gets rebuilt every 30 seconds
Ally Member
I have a strange situation, there is a site-2-site VPN between two sites, (One Nebula NSG100 and a USGFLEX100W) and apparently the tunnel gets rebuilt every 30 seconds for some reason, ping gets through without any loss, but I can't find the reason, also there is not much in the logs that would help.
Can anyone help me understand why this is happening? The lifetime is set to 86500 and 28800 respectively for the two IPSec phases.
Can anyone help me understand why this is happening? The lifetime is set to 86500 and 28800 respectively for the two IPSec phases.
6
2022-12-08 14:19:30 info IKE Tunnel [Gra:Gra:0x9fbb54a5] built successfully
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
7
2022-12-08 14:19:30
info
IKE
[ESP aes-cbc|hmac-sha512-256][SPI 0x09a8d03e|0x9fbb54a5][PFS:DH5][Lifetime 28820]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
8
2022-12-08 14:19:30
info
IKE
[Policy: ipv4(192.168.XXX.0-192.168.XXX.255)-ipv4(10.XXX.XXX.0-10.XXX.XXX.255)]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
9
2022-12-08 14:19:30
info
IKE
[Responder:176.XXX.XXX.XXX][Initiator:46.XXX.XXX.XXX]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
10
2022-12-08 14:19:30 info IKE Tunnel [Gra:Gra:0xf71d77ed] is disconnected [count=3]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
11
2022-12-08 14:19:29
info
IKE
Recv:[HASH]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
12
2022-12-08 14:19:29
info
IKE
Send:[HASH][SA][NONCE][KE][ID][ID][NOTIFY:RESPONDER_LIFETIME]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
13
2022-12-08 14:19:29
info
IKE
The cookie pair is : 0x274c050a4f1ae344 / 0x5c4b3fd130a8cab4 [count=8]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
14
2022-12-08 14:19:29
info
IKE
Recv TSi: ipv4(10.XXX.XXX.0-10.XXX.XXX.255), TSr: ipv4(192.168.XXX.0-192.168.XXX.255).
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
15
2022-12-08 14:19:29
info
IKE
Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 192, HMAC-SHA512-256, 1536 bit MODP, No ESN; ).
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
16
2022-12-08 14:19:29
info
IKE
Recv:[HASH][SA][NONCE][KE][ID][ID]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
17
2022-12-08 14:19:28
info
IKE
Recv:[HASH][DEL] [count=3]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
18
2022-12-08 14:19:28
info
IKE
The cookie pair is : 0x5c4b3fd130a8cab4 / 0x274c050a4f1ae344 [count=5]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
28
2022-12-08 14:19:03
info
IKE
Tunnel [Gra:Gra:0xf71d77ed] rekeyed successfully
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
29
2022-12-08 14:19:03
info
IKE
[ESP aes-cbc|hmac-sha512-256][SPI 0x4afb8355|0xf71d77ed][PFS:DH5][Lifetime 28820]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
31
2022-12-08 14:19:00
info
IKE
Tunnel [Gra:Gra:0x8fd268f1] built successfully
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
32
2022-12-08 14:19:00
info
IKE
[ESP aes-cbc|hmac-sha512-256][SPI 0x5742cb10|0x8fd268f1][PFS:DH5][Lifetime 25440]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
33
2022-12-08 14:19:00
info
IKE
[Initiator:176.XXX.XXX.XXX][Responder:46.XXX.XXX.XXX]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
34
2022-12-08 14:19:00
info
IKE
Send:[HASH][DEL] [count=3]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
36
2022-12-08 14:19:00
info
IKE
Tunnel [Gra:Gra:0x5742cb10] is disconnected
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
37
2022-12-08 14:19:00
info
IKE
Send:[HASH]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
38
2022-12-08 14:19:00
info
IKE
Tunnel [Gra:Gra:0x77e29d96] built successfully
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
39
2022-12-08 14:19:00
info
IKE
[ESP aes-cbc|hmac-sha512-256][SPI 0x21a1c8b7|0x77e29d96][PFS:DH5][Lifetime 28820]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
40
2022-12-08 14:19:00
info
IKE
[Policy: ipv4(192.168.XXX.0-192.168.XXX.255)-ipv4(10.XXX.XXX.0-10.XXX.XXX.255)] [count=3]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
41
2022-12-08 14:19:00
info
IKE
[Responder:176.XXX.XXX.XXX][Initiator:46.XXX.XXX.XXX] [count=2]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
42
2022-12-08 14:19:00
info
IKE
Send:[HASH][SA][NONCE][KE][ID][ID]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
44
2022-12-08 14:18:59
info
IKE
Recv:[HASH] [count=2]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
45
2022-12-08 14:18:59
info
IKE
Tunnel [Gra:Gra:0x8c5353a0] is disconnected [count=3]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
47
2022-12-08 14:18:59
info
IKE
Send:[HASH][SA][NONCE][KE][ID][ID][NOTIFY:RESPONDER_LIFETIME] [count=2]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
48
2022-12-08 14:18:59
info
IKE
The cookie pair is : 0x274c050a4f1ae344 / 0x5c4b3fd130a8cab4 [count=23]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
49
2022-12-08 14:18:59
info
IKE
Recv TSi: ipv4(10.XXX.XXX.0-10.XXX.XXX.255), TSr: ipv4(192.168.XXX.0-192.168.XXX.255). [count=2]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
50
2022-12-08 14:18:59
info
IKE
Recv IPSec sa: SA([0] protocol = ESP (3), spi_len = 4, spi = 0x00000000, AES CBC key len = 192, HMAC-SHA512-256, 1536 bit MODP, No ESN; ). [count=2]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
51
2022-12-08 14:18:59
info
IKE
Recv:[HASH][SA][NONCE][KE][ID][ID] [count=3]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
52
2022-12-08 14:18:58
info
IKE
Recv:[HASH][DEL] [count=3]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
53
2022-12-08 14:18:58
info
IKE
The cookie pair is : 0x5c4b3fd130a8cab4 / 0x274c050a4f1ae344 [count=8]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
63
2022-12-08 14:18:33
info
IKE
Tunnel [Gra:Gra:0x8c5353a0] rekeyed successfully
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
64
2022-12-08 14:18:33
info
IKE
[ESP aes-cbc|hmac-sha512-256][SPI 0x87d780d1|0x8c5353a0][PFS:DH5][Lifetime 28820]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
68
2022-12-08 14:18:30
info
IKE
Tunnel [Gra:Gra:0x17cce081] built successfully
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
69
2022-12-08 14:18:30
info
IKE
[ESP aes-cbc|hmac-sha512-256][SPI 0x7b4fca6a|0x17cce081][PFS:DH5][Lifetime 24480]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
70
2022-12-08 14:18:30
info
IKE
[Initiator:176.XXX.XXX.XXX][Responder:46.XXX.XXX.XXX]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
71
2022-12-08 14:18:30
info
IKE
Send:[HASH][DEL] [count=3]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
73
2022-12-08 14:18:30
info
IKE
Tunnel [Gra:Gra:0x7b4fca6a] is disconnected
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
74
2022-12-08 14:18:30
info
IKE
Send:[HASH]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
75
2022-12-08 14:18:30
info
IKE
Tunnel [Gra:Gra:0x71b22cd8] built successfully
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
76
2022-12-08 14:18:30
info
IKE
[ESP aes-cbc|hmac-sha512-256][SPI 0x81c93bbd|0x71b22cd8][PFS:DH5][Lifetime 28820]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
77
2022-12-08 14:18:30
info
IKE
[Policy: ipv4(192.168.XXX.0-192.168.XXX.255)-ipv4(10.XXX.XXX.0-10.XXX.XXX.255)] [count=3]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
78
2022-12-08 14:18:30
info
IKE
[Responder:176.XXX.XXX.XXX][Initiator:46.XXX.XXX.XXX] [count=2]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
79
2022-12-08 14:18:30
info
IKE
Send:[HASH][SA][NONCE][KE][ID][ID]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
80
2022-12-08 14:18:29
info
IKE
Recv:[HASH] [count=2]
46.XXX.XXX.XXX:500
176.XXX.XXX.XXX:500
IKE_LOG
82
2022-12-08 14:18:29
info
IKE
Tunnel [Gra:Gra:0x11326f7d] is disconnected [count=3]
176.XXX.XXX.XXX:500
46.XXX.XXX.XXX:500
IKE_LOG
0
Accepted Solution
-
So, either 192.168.167.254/32 or 192.168.167.254/24, both of setting will lead the tunnel disconnect?
Could you please wait for 5 minutes to let the NCC refresh the information?0
Zyxel Employee
All Replies
-
0
-
Zyxel_Chris said:Hello @Peppino,
Please help to confirm if your private subnet IP is reachable.
Hi Chris,
Yes, as I said everything works fine, it's just that the tunnel gets rebuilt too frequently.
0 -
@Peppino,
Could you please activate Invite Zyxel support in Neubla, Help center> Support request, in order to check your device connection status, also please provide me your org./site name, you can either leave the information here or private message me.
0 -
@Peppino,
Please be aware that the peer site IP (private subnet) should be reachable, 192.168.167.0/24 is the subnet name, not the actual IP, please use the peer site LAN interface IP instead.
0 -
Hi Chris,
I may not fully understand you, so you're saying I should put here the subnet interface IP? without the /24? Or the other firewall's inside IP?0 -
Oh I see now, the text is confusing, you may consider changing it to Connectivity Check IP address.. :-)
BTW, what shall I include in the "address" text box (the last one)? No explanation there for this.
Thanks for helping Chris! :-)0 -
anyway if I change the subnet to an IP that it could ping, the tunnel stops working, so it's not a solution unfortunately...
0 -
@Peppino,
For your first question that column is the address in real life, and please try 192.168.167.254/24 0 -
Yep, but if I change it to that, the tunnel stops working. What should be the Address content - in the last text box?0
-
So, either 192.168.167.254/32 or 192.168.167.254/24, both of setting will lead the tunnel disconnect?
Could you please wait for 5 minutes to let the NCC refresh the information?0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
