Speeded up SA Life Time site to site local test tunnel drops does not reconnect
Guru Member
USG FLEX 200H V1.10(ABWV.1)
FLEX200H
custom
IKEv2
Interface ge3 WAN3
Peer Gateway Address 192.168.254.9
Pre-Shared Key
Phase 1 Settings
SA Life Time 300
AES128
SH1
DH2
Phase 2 Settings
Initiation Nailed-up
local 192.168.255.32/28
remote 192.168.252.0/23
SA Life Time 180
AES128
SH1
DH2
To speed up the problem I changed Phase 1 and 2 SA Life Time as 300 Phase 1 and 180 Phase 2 after some time the Tunnel drop when ping check on site to site USG60W side to 192.168.255.44 down the tunnel on VLAN47 on FLEX200H
When the tunnel is up disable site to site USG60W side for 1 minute then enable the FLEX200H does not reconnect when it is the nailed up side.
All Replies
-
Running a ping 192.168.252.1 then kicks the VPN to reconnect on FLEX200H guess its because protocol 50 and the FLEX200H sees no point when tunnel is lost but the other side is not nailed up so the only way for USG60W traffic to go down the tunnel when tunnel is lost is if the FLEX200H restarts the site to site when it has traffic to go down the tunnel.
Will do testing NATT and see how that behaves
0 -
So test with a NAT use USG60 so
FLEX200H > USG60 SNAT> USG60W
and FLEX dose not reconnect when you disable Site-to-site with Dynamic Peer for 1 minute unless traffic going to remote subnet happens on FLEX200H side and I when the tunnel is up I don't see NAT-keepalive packets.
also when the tunnel is up and I have USG60W ping down the tunnel over time the tunnel drops and will only connect when traffic form FLEX200H to the remote subnet happens.
0 -
Still problem for this in V1.20
The nailup in FLEX200H now reconnect in 60 seconds.
Remaining problem
With traffic only from USG60W ping Connectivity Check down tunnel to FLEX200H to a IP 192.168.255.43 for protocol 50 and NATT (each test) for 10 mins the tunnel drops reconnects in 60 seconds.
0 -
still a problem in SG FLEX 200H
V1.20(ABWV.0)
2024-04-18 14:10:29
ping every 5 seconds down the tunnel drop
0 -
here are the logs when the tunnel drops
0 -
The problem seems to be Phase 1 SA Life Time for renegotiation the manual says “temporarily disconnects the VPN tunnel” on a short time but I think there is more to it then that being the disconnect is upto 60 seconds should not disconnect that long.
With Phase 1 SA Life Time at 300 the tunnel drops about 10 mins with it set to 2400 its about 1 hour 10mins
0 -
Any news about this issue? Will ZyXEL launch a new firmware realease? We are experiencing the same problem. Thank you
Best regards0 -
ZCNE Certified
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
