IPSec sessions on the firewall not terminated after a while of being idle?
Ally Member
I have the following scenario: I manually connect with a device (smartphone or notebook) and via IPSec VPN client (the ones generated by the USG-20W-VPN), StrongSwan resp. Win1x Client from outside.
Now, when I take the device(s) again in WiFi range, they reconnect to the WiFi ergo the IPSec tunnel is not used anymore. Now, If I log onto the firewall even hours after having used the IPSec tunnels, the tunnels are shown as active in the overview, even if they are long time not used anymore. All the traffic goes via LAN cable or WiFi, since hours. Now, only if I click the refresh button up right in the overview, I just afterwards see the IPSec tunnel disconnecting.
Is this a bug, or a feature? 😋
Shouldn't the firewall disconnect after an idle time and a preset timeout, the tunnel from itself?
The log shows that only after me actively pressing refresh, the connection has been terminated. The device has been used via WiFi for 1-2 hours already, but the IPSec tunnel of this device was still left in limbo state on the firewall, even if manually terminated on smartphone :) as I understand.
Summary- IPSec connection definitely used maximally between 11:51 (correct timestamp), until 17:51. Afterwards, smartphone changed to WiFi. I have to stop the StrongSwan client, as it tries to reconnect unsuccessfully. So, manually stopped the VPN, and smartphone now connected via WiFi to internet. Latest by 17:52 the IPSec connection is not used anymore, but still not only shown as active in the GUI, but also in the logs there is no disconnection. The disconnection occurs only after I pressed the refresh button on the GUI.
All Replies
-
Hi @Zyxel_USG_User ,
Which firmware version are you using?
We tested the scenario using a USG 20W VPN with firmware version 5.39P1, but our logs and VPN dashboard correctly showed the timestamp when our VPN clients disconnected.
Please check your firmware version and verify the exact time when your VPN clients disconnected against what's shown in your device GUI. If the issue persists, we may need a remote session to investigate further.
0 -
Firmware on the firewall is V5.39(ABAR.1).
I assume that we misunderstand each other. When I deliberately disconnect and reconnect, the timestamps are accurate in the logfiles and the GUI- as you posted as well.
Now, to the current problem:
- take a smartphone, eg with StrongSwan IPSec VPN.
- Activate the tunnel session to the firewall, then
- put the phone in an isolated box so that it has no data traffic whilst the tunnel has not been terminated. Or put it in flight mode.
- You will see that the tunnel, despite no traffic, is not timed out or disconnected on the firewall by the firewall itself even after hours.
Looking at the smartphone in flight mode - phone tries to terminate the VPN in the StrongSwan log because it cannot reach (!) which is a bit funny from the procedural point of view, obviously data does not 'get out'. If it cannot reach the firewall, why does it still try to send termination data out…
Looking at the firewall side, the firewall even if it does not receive data, remains in limbo status showing the connection in the GUI indefinitely even if no data is sent and received via that connection.
When I remove the flight mode on the smartphone, then manually terminate the tunnel/disconnect in StrongSwan, it logs and displays correctly the tunnel termination. Otherwise, no tunnel termination on the firewall, from the firewall itself for an 'gone idle' connection, indefinitely. Well, firewall reboot removes the connection :) but that should not be the standard procedure for vpn tunnels in indefinite states of connection.
What I assume is that the firewall does not terminate an IPSec connection from itself after a threshhold of no-data has been reached?
0 -
Hi @Zyxel_USG_User ,
The symptom you observed is caused by a design limitation between the firewall and Android StrongSwan.
When an Android device with StrongSwan establishes a VPN connection and then switches to airplane mode, it does not send a VPN disconnection signal to the firewall. This causes the dashboard shows that the VPN connection remains active, and there is no VPN disconnection logs in the log pages.
Workaround Solution:
Enable the Enable user idle detection function on your firewall. This allows the firewall to actively monitor VPN user activity and automatically disconnect VPN connections if its idle time reached the setting time.
0 -
If you set Phase 2 SA life time low that might also drop the session?
1 -
I enabled the setting, see pics. The remote access users are included in the 'users' group, so the ticked box should be inherited by them too. However, it does not work. The connection is still in limbo after ages, shown as active, with the internal IP assigned and all that. It just shows no data traffic over the connection, which is the only correct thing at it.
0
Zyxel Employee
Guru Member
Categories
- All Categories
- 430 Beta Program
- 2.6K Nebula
- 163 Nebula Ideas
- 112 Nebula Status and Incidents
- 6K Security
- 353 USG FLEX H Series
- 291 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 42 Wireless Ideas
- 6.6K Consumer Product
- 261 Service & License
- 407 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.9K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 82 Security Highlight
