VPN tunnel uptime problem

Options
2»

All Replies

  • PeterUK
    PeterUK Posts: 4,250 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 13

    So USG FLEX 700H to Zywall110V3 VPN tunnel was showing a problem on the FLEX700H is the Responder Only for this tunnel when I checked Zywall 110 side it showed it was disconnected even when its the nailed up side yet FLEX700H shows it is connected most of the time when its not so on the Zywall 110 side I disabled that tunnel then enabled it and now the tunnel is up. Not sure why the Zywall 110 was not auto trying to connect and needed a disable/enable. But at the same time FLEX700H should not of shown it was connected when not.

  • PeterUK
    PeterUK Posts: 4,250 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary
    edited November 13

    I wonder if this is some type tunnel connection race condition handling problem? I mean it should not happen due to local and remote ID as tunnels get connected.

    So here might be a idea if the FLEX H have nailed up tunnels it will do them first one at a time any tunnels that are Responder Only will be allowed after one at a time then allows the next on boot up.

  • Zyxel_Melen
    Zyxel_Melen Posts: 4,196 image  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @PeterUK

    About the Zywall110V3 VPN tunnel, I noticed a behavior when monitoring:

    There are four VPN tunnel status:

    Zywall110V3: #751, ESTABLISHED, IKEv2, a40e9b04a0e3df15_i a88116f67011ede5_r
  local  '***' @ 192.168.*.*[500]
  remote '***' @ [P]192.168.*.*[500]
  aes256-cbc/hmac-sha1/hmac-sha1/modp1024
  established 47s ago, rekeying in 81679s
  sec_policy1_Zywall110V3: #759, reqid 5, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha1
    installed 47s ago, rekeying in 26963s, expires in 31633s
    in  c6cf2771, 0 bytes, 0 packets
    out 26df4d24, 0 bytes, 0 packets
    local  192.168.*.*
    remote 192.168.*.*
Zywall110V3: #750, ESTABLISHED, IKEv2, 59f8ba6b24ca8584_i 2fc4b78c10f70906_r
  local  '***' @ 192.168.*.*[500]
  remote '***' @ [P]192.168.*.*[500]
  aes256-cbc/hmac-sha1/hmac-sha1/modp1024
  established 133s ago, rekeying in 85260s
  sec_policy1_Zywall110V3: #758, reqid 5, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha1
    installed 133s ago, rekeying in 26152s, expires in 31547s
    in  c55c7d7f, 0 bytes, 0 packets
    out c0ab9a59, 0 bytes, 0 packets
    local  192.168.*.*
    remote 192.168.*.*

    Or

    0> show ike ike-sa details
Zywall110V3: #752, DELETING, IKEv2, d32f5d35987acfd2_i ca9c597facaeaa2c_r
  local  '***' @ 192.168.*.*[500]
  remote '*' @ [P]192.168.*.*[500]
  aes256-cbc/hmac-sha1/hmac-sha1/modp1024
  sec_policy1_Zywall110V3: #760, reqid 5, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha1
    installed 2s ago, rekeying in 27385s, expires in 31678s
    in  c6feda26, 0 bytes, 0 packets
    out 0d6007ed, 0 bytes, 0 packets
    local  192.168.*.*
    remote 192.168.*.*
Zywall110V3: #751, ESTABLISHED, IKEv2, a40e9b04a0e3df15_i a88116f67011ede5_r
  local  '***' @ 192.168.*.*[500]
  remote '***' @ [P]192.168.*.*[500]
  aes256-cbc/hmac-sha1/hmac-sha1/modp1024
  established 87s ago, rekeying in 81639s
  sec_policy1_Zywall110V3: #759, reqid 5, INSTALLED, TUNNEL, esp:aes128-cbc/hmac-sha1
    installed 87s ago, rekeying in 26923s, expires in 31593s
    in  c6cf2771, 0 bytes, 0 packets
    out 26df4d24, 0 bytes, 0 packets
    local  192.168.*.*
    remote 192.168.*.*

    Or sometimes only one Zywall110v3 tunnel and other four VPN tunnels up

    Or Zywall110v3 tunnel doesn't established, only other four VPN tunnels up.

    It seems like the Zywall110 did reconnect the VPN tunnel, but somehow the firewall continuously initiates the new VPN tunnel. Because of that, there has a period that Zywall110v3 tunnel is not up on the USG FLEX 700H side.

    But at the same time FLEX700H should not of shown it was connected when not.

    From the USG FLEX 700H side, the VPN tunnel status might be still established when ZyWALL110 shows disconnect. It seems like the USG FLEX 700H didn't receive the tunnel disconnect info from ZyWALL110, which needs to wait USG FLEX 700H detect the disconnect. However, I couldn't identify why ZyWALL110 disconnect the VPN tunnel, since I can only access the USG FLEX 700H and check at that time.

    Zyxel Melen


  • PeterUK
    PeterUK Posts: 4,250 image  Guru Member
    250 Answers 2500 Comments Friend Collector Eighth Anniversary

    From what I know on the reboot of FLEX 700H around 12th 6:47PM all tunnels where up but Zywall110V3 then at around 13th 12:08PM I disabled the enabled on the Zywall 110 side the Zywall110V3 and since then its been fine.

    I would guess the problem would or might have corrected its self based on the SA life time 86400 so 24hr

    so rebooting either FLEX700H or Zywall 110 may cause this issue to happen again not sure.

Categories

Nebula Tips & Tricks


    Read more

    Nebula Help Center

    EnglishTiếng ViệtРусскийไทย中文(台灣)