VPN not working any more after reboot
Master Member
I don't know what it is, but my Flex200 seems haunted!
It was up for 3 months and today I reboot it and suddenly two VPNs are not working any more. That's especially "great" since it's the last day of the month any everyone needs to enter their hours for billing…
The two failing VPNs are IKEv2 with certs.
I have a 3rd, working one that is exactly like the failing ones, except a different cert.
The log only shows ONE difference:
The failing connections phase-1 has one more [NOTIFY] than the successful one.
At least sometimes.
[INIT] Recv: [SA][KE][NONCE][NOTIFY][NOTIFY][NOTIFY][NOTIFY][NOTIFY]
I also updated from V5.37(ABUI.1) to V5.37(ABUI.2).
No change.
There are also 4 static tunnels from my F50 to the F200 – disabling those does nothing.
The two failing connections even go to different IPs on different WANs – both worked up until the reboot.
All Replies
-
Maybe test with Pre-Shared Key on both ends
0 -
This is what Graylog receives in Debug Mode.
(Yes, ending in "negotiation failed:" and then not following up with anything sure is cool)
0 -
That won't help the VPN users, since they are not admins and get an OSX .mobileconfig file installed.
0 -
I just compared the two config files:
#1 is before reboot and update
#2 is from after reboot and updateThey are the same file, no differences that are notable except the date and one setting I changed.
0 -
Making new VPN gateways / connections fails with the same result.
- I got a new DDNS for a free WAN IP
- Made a new cert for the DDNS
- New IKEv2 cert VPN gateway and connectionNeither AES128 | SH256 with DH2, DH14, DH21 (OSX pre-Sonoma)
nor AESA256 | SHA256 with DH19 (OSX Sonoma)
manage to do anything beyond giving the same error.Message: Crypto operation failed (65539)
0 -
I take it the cert is valid in date?
maybe a update on the client side OS has caused this? can you test by windows or StrongSwan
0 -
Yes they are.
But I just realized:
It's February 29th!What are the odds, that might be the problem?
0 -
Well I tested here locally with a DDNS cert IKEv2 on FLEX200 as server role connects OK by windows
1 -
Thanks for testing!
I am not imagining this… 3 Months of nonstop working well (except having to add a new gateway for OSX Sonoma) and then on restart it all goes to crap…
This is gonna be a "fun" weekend…
0
Guru Member
Categories
- All Categories
- 384 Beta Program
- 2.1K Nebula
- 117 Nebula Ideas
- 80 Nebula Status and Incidents
- 5.1K Security
- 79 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 69 Switch Ideas
- 909 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 209 Service & License
- 335 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 898 Nebula FAQ
- 415 Security FAQ
- 234 Switch FAQ
- 205 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 73 About Community
- 62 Security Highlight
