Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 4 subscribers
  • Views 2645 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC - cannot route - route already in use

Louis-M

We have a router that establishes a ipsec connection with the UTM. This router has a dynamic IP and as such is set to "Respond Only" for the gateway in the ipsec site to site config on the UTM. Connects just fine.

Now, if we turn this router off, the ipsec connection drops as expected. However, the UTM seems to just sit there with the route established ie it doesn't detect the link is down and delete the route.

DPD seems to kick in about 120s at which time the security association (and route) is then deleted by the UTM. The remote router can then connect and establish an ipsec connection to the UTM.

However, if the remote router tries to connect to the UTM before this route is deleted by DPD, the UTM complains about the route already being in place. Obviously because it is still there. As the remote router retries, the UTM then further complains about the maximum number of retries being reached and the remote router cannot connect.

Any ideas for a workaround? My immediate thoughts are that the DPD detection time needs to be brough down on the UTM side so that the routes can be deleted.



This thread was automatically locked due to age.
Parents
  • 0

    Hi Louis,

    but that’s what DPD is for. The UTM or any other Router can’t detect the vanished tunnel without DPD timeout.

    What might be interesting, does the dynamic router keep the IP Address if it tries to reconnect after power off?

    But at the end you should lower the timeout. I don’t know the exact use case but how many disconnects does this device have a day. Is there really a difference if this lasts 30 or 120 seconds?

    Best regards 

    Alex 

    -

  • 0 in reply to Alexander Busch

    It does have a number of disconnects because its mobile. It is a 4G router that picks up a private dynamic IP address every time it connects.

    I've gone into the cli on the UTM and altered the dpd timeouts to dpddelay=20s and dpdtimeout=40s and it appears to work now.

    I can restart the router (it takes about 70s from a cold start) and it connects without issue. The UTM detects the drop at 40s and deletes the route and the remote router can connect as there is no previous route.

    My only concern now is if the remote router IP changes between towers which could mean a 5 second drop out etc at which time I don't think this would work unless I change the dpd timeouts to even lower.

  • 0 in reply to Louis-M

    Just an idea, maybe it’s an alternative to use SSL VPN instead of IPSec? Maybe there isn’t so much headache when the connection reestablish.

    -

Reply Children
Unfiltered HTML