Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 385 views
  • Users 0 members are here
Options
Suggested

VPN with Drayteks constant disconnects

Andrej Pirman

Hi,

I have a bunch of XGS firewalls in main offices of my customers, which have branch/remote offices with Draytek routers, different models. I have not paid attention till now, when one of those reported intermittent issues with Site2Site IPSec VPN. I looked in IPSec logs on few XGS firewalls, and I can see all tunnels have frequent disconnects/reconnects, like can be seen below.

I have IKE key times slightly differently set on both sides, say 28800 on one side and 30000 on the other. Could this be an issue?

Weird fact: out of 8 branch offices, all VPN settings are the same, same Drayteks....but only 2 of 8 constantly terminate, the rest maybe once per day.

Any idea where to start resolving?

Time Log comp Status Message
16.09.2024 11:56 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 11:42 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 11:22 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 11:06 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 10:32 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 10:32 IPSec  Deny Received IKE message with invalid SPI (37D3016A) from the remote gateway.
16.09.2024 10:32 IPSec  Deny Received IKE message with invalid SPI (37D3016A) from the remote gateway.
16.09.2024 10:31 IPSec  Deny Received IKE message with invalid SPI (37D3016A) from the remote gateway.
16.09.2024 10:31 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 10:31 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 10:31 IPSec  Failed VPN_OFFICE-1 - IKE message (20003720) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)
16.09.2024 10:31 IPSec  Failed VPN_OFFICE-1 - IKE message (20003720) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)
16.09.2024 10:14 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 09:50 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 09:37 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 09:13 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 09:00 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 08:39 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 08:23 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 08:02 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 07:49 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 07:24 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 07:12 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 06:47 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 06:34 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 05:57 IPSec  Established VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 established. (Remote: 11.22.59.88)
16.09.2024 05:57 IPSec  Deny Received IKE message with invalid SPI (E759F7AD) from the remote gateway.
16.09.2024 05:57 IPSec  Deny Received IKE message with invalid SPI (E759F7AD) from the remote gateway.
16.09.2024 05:56 IPSec  Deny Received IKE message with invalid SPI (E759F7AD) from the remote gateway.
16.09.2024 05:56 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 05:56 IPSec  Terminated VPN_OFFICE-1 - IPSec Connection VPN_OFFICE-1 between 11.22.59.88 and 33.44.33.44 for Child VPN_OFFICE-1 terminated. (Remote: 11.22.59.88)
16.09.2024 05:56 IPSec  Failed VPN_OFFICE-1 - IKE message (2C50) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)
16.09.2024 05:56 IPSec  Failed VPN_OFFICE-1 - IKE message (2C50) retransmission to 11.22.59.88 timed out. Check if the remote gateway is reachable. (Remote: 11.22.59.88)


Edited TAGs
[edited by: Erick Jan at 10:43 AM (GMT -7) on 16 Sep 2024]
Parents Reply
  • 0 in reply to Erick Jan

    Hi Eric,

    Thank you, but that was my base for setting up VPN tunnels. I used recommended Key lifetimes and retransmit times from built-in BranchOffice and MainOffice examples in XGS. And as this is the same logic as described in the document, I can be sure it is setup properly.

    But from logs I can see VPN tunnel dropping every few minutes, so it's not key lifetime.

    EDIT: Well, weird things are going on here on my XGS. I should probably open another discussion - All PING packets have frequent dropouts, be it from LAN --> Sophos LAN adapter, or from LAN --> to WAN or VPN tunnel. While everything within LAN network, except Sophos LAN adapter, pings indefinitelly without any dropped packet, so switches are OK, no loops, no duplicate IPs.

    There must be something with this XGS, either config failure, or hardware failure (new box, weird).

Children
No Data
Unfiltered HTML