Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3305
Views
0
Helpful
4
Replies

VPN tunnel drops every 70 seconds

Daniel Hoegele
Level 1
Level 1

‎09-16-2011 04:40 AM

Hi,

i have a problem withb the VPN connection to one of my branch offices.

My setup:

Main Office: IPCOP v1.4.21 VPN-Router - SDSL 8Mbit - LAN

Branch 1: Linksys RV082 v2.0.0.19 - SDSL 4 Mbit - LAN

Branch 2: Cisco RV082 v4.0.2.08 - ADSL 16Mbit - PPPoE

Branch 3: Linksys RV082 v2.0.0.19 - ADSL 3Mbit - PPPoE

Branch 4: Cisco RV082 v4.0.4.02 - ADSL 25Mbit - PPPoE

The connection between the main office and branch 4 drops every 70 seconds (~68 pings) and is automatically reestablished after 15 seconds (~3 pings).

Connections between the main office and other branch office are stable. Same for a connection between 1 and 4.

The WAN connection at branch 4 is also stable. All offices are using fix WAN ip addresses.

RV082 VPN-Setup in all branch offices:

IKE with PSK

Keep alive on

MTU is "Auto".

Phase1:

Group1

3DES

MD5

Life Time 28800s

Phase2:

Group1

3DES

MD5

Life Time 3600s

IPCOP VPN-Setup at main office:

PSK

IKE:

Group MODP-1536 / MODP-1024

3DES

MD5

Life Time 1h

ESP:

Group1

3DES

MD5

Life Time 8h

RV082 branch 4 VPN-Log:

Sep 16 13:33:53 2011VPN Log(g2gips0) #473: received Delete SA(0xcc855682) payload: deleting IPSEC State #475
Sep 16 13:33:53 2011VPN Log(g2gips0) #473: received Delete SA(0xcc855682) payload: deleting IPSEC State #475
Sep 16 13:33:53 2011VPN Log(g2gips0) #473: received Delete SA payload: deleting ISAKMP State #473
Sep 16 13:33:53 2011VPN Log(g2gips0) #473: received Delete SA payload: deleting ISAKMP State #473
Sep 16 13:33:53 2011VPN Log(g2gips0) #479: initiating Main Mode
Sep 16 13:33:53 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Sep 16 13:33:53 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: received Vendor ID payload [RFC 3947]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: received Vendor ID payload [RFC 3947]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: received Vendor ID payload [Dead Peer Detection]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: received Vendor ID payload [Dead Peer Detection]
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Sep 16 13:33:55 2011VPN Logpacket from 92.198.xx.xxx:500: [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: responding to Main Mode
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: OAKLEY_GROUP_MODP1536 is not enabled for this connection. Attribute OAKLEY_GROUP_DESCRIPTION
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: OAKLEY_GROUP_MODP1536 is not enabled for this connection. Attribute OAKLEY_GROUP_DESCRIPTION
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: OAKLEY_GROUP_MODP1024 is not enabled for this connection. Attribute OAKLEY_GROUP_DESCRIPTION
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: OAKLEY_GROUP_MODP1024 is not enabled for this connection. Attribute OAKLEY_GROUP_DESCRIPTION
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: no acceptable Oakley Transform
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: no acceptable Oakley Transform
Sep 16 13:33:55 2011VPN Log(g2gips0) #480: sending notification NO_PROPOSAL_CHOSEN to 92.198.xx.xxx:500
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: received Vendor ID payload [Dead Peer Detection]
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: received Vendor ID payload [Dead Peer Detection]
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 2nd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator send Main Mode 3rd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] <<< Initiator Received Main Mode 4th packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 5th packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] >>> Initiator Receive Main Mode 6th packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: Peer ID is ID_IPV4_ADDR: '92.198.xx.xxx'
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: [Tunnel Negotiation Info] Main Mode Phase 1 SA Established
Sep 16 13:34:03 2011VPN Log(g2gips0) #479: ISAKMP SA established
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS {using isakmp#479}
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: esp_ealg_id=3-3,esp_ealg_keylen=0, key_len=192,esp_aalg_id=1-1.
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] Inbound SPI value = 2496dd27
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] Inbound SPI value = 2496dd27
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] Outbound SPI value = cc855683
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] Outbound SPI value = cc855683
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Sep 16 13:34:03 2011VPN Log(g2gips0) #481: sent QI2, IPsec SA established {ESP=>0xcc855683 <0x2496dd27

Any ideas?

Thanks, Daniel

Labels:
0 Helpful
4 Replies 4

linksysinfo
Level 4
Level 4

‎09-16-2011 07:14 AM

What is Branch 4's WAN MTU set at?  mayeb worth testing with lower values.  for pppoe it should be 1492 or less. lower by the value of 8 each time and test. it maybe that packets are getting dropped on the WAN link and thus the VPN tunnel drops over time.  worth a try anyway.

Regards Simon
0 Helpful

Daniel Hoegele
Level 1
Level 1
In response to linksysinfo

‎09-16-2011 08:31 AM

MTU was also my first thougth. Currently it's set to "auto" but i already tried decreasing step by step down to 1400 without success...

I also added MODP-768 to the IPCOP IKE-Group to fix the "OAKLEY_GROUP_MODPxxx is not enabled" errors.

Any more ideas?

0 Helpful

jasbryan
Level 6
Level 6
In response to Daniel Hoegele

‎09-16-2011 08:49 AM

Daniel,

 

. When the tunnel goes down, do you lose access to Internet briefly? If you ran a Ping -t to DNS server and other across the tunnel do we lose any pings to the DNS.

Jason

0 Helpful

Daniel Hoegele
Level 1
Level 1
In response to jasbryan

‎09-16-2011 01:07 PM

No, internet access is not interupted. I can also ping the public IP of branch 4 without any lost packet.

It's just the link to the main office, that drops...

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents