cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3089
Views
20
Helpful
13
Replies

Site-to-Site tunnels stop working after upgrade to 1.02.16

train_wreck
Level 1
Level 1

I have a site-to-site tunnel to from a RV340W to an ASA that has stopped working after I upgraded to 1.02.16. Nothing about the config has changed. After it stopped working, I tried reloading and reconfiguring the RV, but this did nothing. Here is the log from the RV:

2019-01-07T23:31:35-06:00 <notice>VPN-cfg: Bringing UP tunnel s2s_ASA ...
2019-01-07T23:31:35-06:00 <notice>VPN-RPC: Executing RPC for connection ASA to bring up
2019-01-07T23:26:53-06:00 <notice>VPN-cfg: Bringing UP tunnel s2s_ASA ...
2019-01-07T23:26:53-06:00 <notice>VPN-RPC: Executing RPC for connection ASA to bring up
2019-01-07T23:23:54-06:00 <notice>VPN-passthrough: IPSEC-Passthrough: Enabled PPTP-Passthrough: Enabled L2TP-Passthrough: Enabled
2019-01-07T23:23:51-06:00 <notice>VPN-cfg: loading tunnel c2s_RA_IKEv2...
2019-01-07T23:23:51-06:00 <notice>VPN-cfg: loading tunnel c2s_RA_IKEv1...
2019-01-07T23:23:51-06:00 <notice>VPN-cfg: loading tunnel s2s_ASA...
2019-01-07T23:23:47-06:00 <notice>VPN-cfg: Starting ipsec...
2019-01-07T23:23:36-06:00 <debug>kernel: [ 153.311652] nbvpn module loaded successfully...
2019-01-07T23:23:09-06:00 <info>xl2tpd: Mindspeed L2TP offload (C) 2013
2019-01-07T23:23:09-06:00 <info>xl2tpd: Listening on IP address 0.0.0.0, port 1701
2019-01-07T23:23:09-06:00 <info>xl2tpd: Forked again by Xelerance (www.xelerance.com) (C) 2006
2019-01-07T23:23:09-06:00 <info>xl2tpd: Inherited by Jeff McAdams, (C) 2002
2019-01-07T23:23:09-06:00 <info>xl2tpd: Forked by Scott Balmos and David Stipp, (C) 2001
2019-01-07T23:23:09-06:00 <info>xl2tpd: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
2019-01-07T23:23:09-06:00 <info>xl2tpd: xl2tpd version xl2tpd-1.3.1 started on TestRV340W PID:11547
2019-01-07T23:23:09-06:00 <info>xl2tpd: Using l2tp kernel support.
2019-01-07T23:23:09-06:00 <critical>xl2tpd: setsockopt recvref[30]: Protocol not available

 

Here are the settings:

rvasasite.png

The ASA does not report receiving any connection attempts. Both devices has WAN IP addresses within the same subnet, so there is nothing blocking the traffic, and like I said this was working no problem on the previous firmware.

 

Any ideas? This new firmware seems like it has lots of issues......

13 Replies 13

train_wreck
Level 1
Level 1

Hello???

Same issue, but from a device (IP Phone) behind the router trying to establish a VPN tunnel to the mother ship.  Has to be software as I rolled back from 1.0.02.16 to 1.0.01.20 and my VPN telephone started working again.

 

 

Yes, I can confirm that downgrading firmware (and keeping the same configuration) makes the tunnel connect. The new firmware is broken. It sucks, because the new firmware contains IKEv2 support.

Any update on this issue?

I did the update yesterday and now I have a user who connects to an outside VPN that can no longer do so.

I'd roll back. I am sure Cisco is aware of the issue but there hasn't been a new release.

Also I hope you made a back up of the config before the update as it has to be restored since the config of the new version is not in a backward compatible format.

Thanks for the reply. I updated in hopes to solve an issue with having to restart the SSL VPN server every so often. I don't know why I keep using these Cisco Small Business products......

I did further research and found this in the release notes:

"VPN Passthrough settings are reset on upgrade.
Workaround Enable the VPN passthrough options
manually after upgrading."

 

Fixed my issue.

Thanks for taking the time to read the release notes :)

 

I'll check out the configuration parameters referenced.

So it's great that you guys got your problem solved, but I feel like my thread's been hijacked....  enabling this option did NOT fix my issue.

Do you have any further logs? Did you enable the keep-alive feature in the advanced settings tab of Site to site connection?
Thanks!

Here is more detailed output, with VPN selected as the log filter and log level set to "debugging":

 

2019-Feb-22, 07:26:06 GMT
info
vpn
charon: 15[CFG] no config named 's2s_ASA-1'
2019-Feb-22, 07:26:06 GMT
info
vpn
charon: 15[CFG] received stroke: initiate 's2s_ASA-1'
2019-Feb-22, 07:26:06 GMT
info
vpn
charon: 05[CFG] no IKE_SA named 's2s_ASA_bkp' found
2019-Feb-22, 07:26:06 GMT
info
vpn
charon: 05[CFG] received stroke: terminate 's2s_ASA_bkp'
2019-Feb-22, 07:26:06 GMT
notice
vpn
VPN-timer: Timer event for s2s_ASA. Bringing up primary connection...
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 07[IKE] IKE_SA (unnamed)[305] state change: CREATED => DESTROYING
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 07[NET] sending packet: from RV_IP_ADDRESS[500] to ASA_IP_ADDRESS[500] (40 bytes)
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 07[ENC] generating INFORMATIONAL_V1 request 1234904603 [ N(NO_PROP) ]
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 07[IKE] no IKE config found for RV_IP_ADDRESS...ASA_IP_ADDRESS, sending NO_PROPOSAL_CHOSEN
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 07[ENC] parsed ID_PROT request 0 [ SA V V V V ]
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 07[NET] received packet: from ASA_IP_ADDRESS[500] to RV_IP_ADDRESS[500] (168 bytes)
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 11[IKE] IKE_SA (unnamed)[304] state change: CREATED => DESTROYING
2019-Feb-22, 07:26:00 GMT
info
vpn
charon: 11[NET] sending packet: from RV_IP_ADDRESS[500] to 104.238.224.159[500] (40 bytes)
2019-Feb-22, 07:26:00 GMT
info
vpn

 

Enabling Keep-Alive did nothing to change things.

 

Right now, I have 3 Cisco RV devices (RV340, 345P, and 340W), each with separate certificates issued for them, that are unable to connect with the new firmware, but have no problem connecting on the 1.0.1.20 firmware. This is definitely a firmware issue.

 

Does anyone from Cisco read these forums???

Bump.... I have narrowed this down to the new firmware not supporting certificate-based site-to-site tunnels. If I change the tunnel authentication type to pre-shared key, it comes up. So the device is not reading certificates properly.

 

I have tried both importing the PKCS12 file with all requisite certs/keys (the same one that works on firmware 1.0.1.20), and generating the CSR on-box, signing it with our CA, and importing the cert back to the device. Neither one works.

Bump