Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 3
Registered: ‎04-03-2014

VPN IPsec tunnel random dropouts

I keep getting random dropouts for my VPN tunnel, it only happens rarely (~twice a week) if I do a "service ipsec restart" then it immediately starts working again. Really annoying as I'm try to replicate a large VM to our DR site and everytime the tunnel drops I have to start again!

 

Config as below. Any ideas guys?

 

esp-group DR {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes128
             hash sha1
         }
     }

 

 ike-group DR {
         dead-peer-detection {
             action restart
             interval 15
             timeout 30
         }
         lifetime 28800
         proposal 1 {
             dh-group 2
             encryption aes128
             hash sha1
         }
     }

 

peer *.*.*.* {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret ***
             }
             connection-type initiate
             description "DR Site"
             ike-group DR
             local-address *.*.*.*
             tunnel 2 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group DR
                 local {
                     prefix 192.168.*.0/24
                 }
                 remote {
                     prefix 10.*.0.0/24
                 }
             }
         }

 

New Contributor
Posts: 3
Registered: ‎06-02-2014

Re: VPN IPsec tunnel random dropouts

Hello,

 

I have same problem, but on ipsec/l2tp (client-to-site), and most often.... sometimes.... drop packet and I drop terminal session that I have open.... Have you found any solution ?

Thanks

 

M.

New Contributor
Posts: 2
Registered: ‎04-14-2016

Re: VPN IPsec tunnel random dropouts

I'm having a similar issue with ASA's on the remote end. The tunnel show up but neverrestarts. I'm guessing the dead peer detection is responding so the tunel doesn;t reset. Both phase 1 and phase 2 are up on the Vyatta but down on the ASA side. Frustrating since I verified al settings over and over. I am stumped. Hello Brocade!

Brocadian
Posts: 44
Registered: ‎02-09-2015

Re: VPN IPsec tunnel random dropouts

Have you tried reducing the interval and timeout for the dead peer detection?

New Contributor
Posts: 2
Registered: ‎04-14-2016

Re: VPN IPsec tunnel random dropouts

Hi Jason,

 

I have tried to disable them all together but I still see drops. The tunnels do not carry prodcution data so I haven't pursued this too hard.

Brocadian
Posts: 44
Registered: ‎02-09-2015

Re: VPN IPsec tunnel random dropouts

The 'dead peer detection' timers are useful for detecting when the other side of the tunnel is not responding so that the link can be re-established.

 

Do you have any mechanism for monitoring the condition of the link between both ends of the tunnel?

Highlighted
New Contributor
Posts: 4
Registered: ‎08-19-2016

Re: VPN IPsec tunnel random dropouts

Do you have NAT traversal enabled? If you have NAT traversal enabled and you are finding the only way you can get the tunnel back up is by resetting it (and reset only works from one end of the tunnel and not the other) you might want to understand the behaviour of how the Vyatta operates when NAT traversal is enabled. Try making one side a dynamic peer (preferably the side where initiating traffic will be sent to - not from) e.g. site-to-site peer 0.0.0.0.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook