RVS4000 freezes when pushing data through VPN tunnel

driesaendekerk · ‎07-27-2011

Dear,

My RVS4000 router freezes up when a lot of data is being pushed through the Ipsec tunnel. Let me explain in detail.

On physical location A, I have an RVS4000 router (with IP 192.168.3.1) which is permanently connected with a WRVS4400 router (with IP 192.168.1.1) on physical location B. The Ipsec tunnel has been configured using the Easy Setup Wizard of Cisco and has been working fine and stable for months. Both routers have another Ipsec tunnel with another WRVS4400 router (with IP 192.168.2.1) on physical location C, but this router does not play a role in the problem below.

Recently, I’m trying to set up a remote backup service between physical location A and B using “rsync”, which uses port 873. Thanks to the Ipsec/VPN tunnel, I could configure rsync to move the backup files from our NAS on location A (NAS has IP 192.168.1.2) directly to location B (NAS has IP 192.168.3.2). Both NAS-devices are of the brand Synology (DS211J). The Ipsec tunnel guarantees that the data is coded and thus secure.

However, when pushing the first batch of data, I noticed that the router on the receiving end (RVS4000) freezes up after approx. 1,5h after the batch has started, which is after approx. 1 gigabyte of data has been transmitted. The connection with the WAN is lost, also the VPN-tunnel is not working, I cannot ping the device or reach its configuration pages (on 192.168.3.1), the only option is unplugging it and letting it reboot. I’m thinking the router cannot deal with the huge amount of data that needs to be decoded. I tried 5/6 times, with always the same result (timing / amount of data pushed through before router freezes varies slightly).

Other things worth mentioning:

When I run rsync over the WAN (using the external IP, including port forwarding, and thus without the Ipsec tunnel), everything works fine. I was able to backup several sets of data without a problem. Of course, this is not an acceptable workaround since it doesn’t offer Ipsec-security. Why would I need a business router then?
In general, the Ipsec-tunnels are stable. I don’t suffer from lost connections, besides the specific scenario mentioned above.
When I turn around the scenario: the receiver (192.168.3.2) becomes the sender, everything works perfectly as well. The WRVS4400 which is then the receiving end does not freeze up at all.
All routers on the network have been upgraded to the latest firmware:
- RVS4000 is on V2.0.2.7;
- WRVS4400 is on V2.0.2.1;
Because the RVS4000 really freezes and a reboot is needed, nothing is mentioned in the router logs.

Does anyone has an idea on what could be wrong, how to troubleshoot this further, or a potential solution?

Thanks,

Dries

cjcoomber · ‎09-27-2011

Hi

I am having a similar problem after establishing a VPN link between two RVS400 routers, everything works for a period (12hrs +) and then one or the other routers freezes.

Only resort is power re-cycle the offending router

Did you generate a fix or get some some support?

I note that I am the first reply after several months

Thanks

Chris

mpyhala · ‎09-27-2011

Christopher,

Thank you for posting. I have not experienced the issue that you are seeing. I do recall solving other issues in the past by disabling logging completely. In some cases we have seen routers "lock up", and after disabling all logging it was fine. It is worth a try since all logs are being lost with the reboot anyway. Please keep us updated.

cjcoomber · ‎09-27-2011

Hi

Actually, I didn't have any logging enabled.

I have just enabled it in the hope of identifying the problem

Thanks

Chris

Te-Kai Liu · ‎09-27-2011

What is your WAN connection type? Do you have static IP addresses on both ends of the tunnel?

Please consider calling the Support Center to get a problem ticket created. This will expedite the resolution of the issue.

cjcoomber · ‎09-27-2011

Hi

The WAN connection is Dynamic IP and I use a DDNS to redirect the net traffic

I have requested a call back, but will look harder for a direct number to call to-morrow (late in the UK)

Thanks

Chris

driesaendekerk · ‎09-27-2011

Hi,

I contacted the SupportCenter for this eventually. And they suggested to turn of the IPS Function (the feature that checks if worms, or other security risks from the internet try to make their way into your home network).The IPS should be off on both routers (the receiving and sending one). Strangely they really downplayed the added security-layer that the IPS would bring ("the router already has a firewall").

This worked for me, and also the speed of the internet connection increased significantly. However, one would wonder what the use of IPS is, if you need to turn it off to get your router more stable.

Te-Kai Liu · ‎09-28-2011

I agreed with you that disabling IPS is just a temporary workaround to stablize the system. If you could provide the configuration of the router, it will help reproducing the issue and fixing the issue by the R&D.

driesaendekerk · ‎09-30-2011

Here are the settings:

Setup - Wan

Connection type: DHCP

MTU: Auto

DynDNS - configured

Setup - Lan

Local IP: 192.168.3.1

Subnet: 255.255.255.0

DHCP enabled, IPv6 disabled;

Operation mode: gateway

IP mode: IPV4 only;

Firewall

Firewall enabled;

DOS protection: enabled

Block WAN request: enabled

remote mgmt: disabled

Multicast: enabled

SIP gateway: disabled

Block: everything unchecked

Port forwarding: a lot of ports are forwarded. Please let me know if you are looking for something specific.

Protectlink: N/A

VPN tunnels: 2 tunnels active. Agressive mode and Netbios enabled. Please let me know if you are looking for something specific.

Qos: disabled

IPS: currently disabled. Before enabled, blocking all anomalies. Latest IPS definition (which is getting pretty old) was uploaded;

P2P/IM: nothing blocked

L2 switch: nothing set

The IPS is now turned off. If I would just turn it on for "testing purpose", and reproduce the problem, the internet/VOIP connections are lost and that will be frustrating for all users using this connection. We have decided to "leave it this way", it works and it is stable. Maybe you can reproduce the problem with the input I gave, but we will not reproduce it anymore.

Kind regards,

cjcoomber · ‎09-30-2011

Hi Dries

Thanks for that

I have implemented it at my end, including switching off all logging, and my router seems to have gone solid again (i.e. no crashes).

Unfortunately, my colleague has gone on holiday and I won't be able to implement the changes at his end until next week, as the remote management seems to be broken currently.

Thanks

Chris

cjcoomber · ‎10-03-2011

Hi

Just to let you know that I have implemented the changes on both routers and await developments.

Thanks

Chris

cjcoomber · ‎10-07-2011

Hi

The link has remained established for the past four days without any crashes and freezes on the routers. Therefore I think that we can assume that the initial problem has been resolved.

I purchased three identical VPN RVS4000 routers in order to install Flexlm license servers at three remote locations, with view using the reducancy feature (i.e. as long as 2 out of 3 license servers can communicate then license are served).

The new setup appears to now preventing from me do the following:

Ping between linked servers
Remote login to the linux based Flexlm licence servers using VNC
Establish links using tcp (port 7788)

Certainly the first two items were working before using the default setup.

Does any one have an idea which setup item may now be blocking access?

Thanks

Chris