RV082 - SRP527W - VPN behind NAT not working

g2metric_g2metric · ‎02-10-2014

Hello,

I've really strange behaviors with my routers. We managed to get things running but once a week, the VPN link is down.

The connection is not restart, both routers shows "connected" but are not, and we had to click on "disconnect" to get the link back.

That was before an update in our infrastructure. Now, both routers are behind routers, so both NAT.

Now, the connection works for some time, but once a week, the link disconnected but i'm unable to get it back ! NOTHING works.

Last time, i spent 2Hours to configure the link again, setting the same parameters almost 10 time, and suddenly by magic, the 11st time it worked again. I read many people have troubles with RVXXX firmware so i don't know what to think.

Anyway, my BIG concern now, is that the link is down again, and it has been 6hours since we can't got it back. I restarted the routers many times, i've made some changes in the configuration, but if it worked, why should i modify it ?????? Why is it not working anymore ?

The log for the RV082 is almost empty about the link. Here's a snippet :

Feb 10 19:01:52 2014	VPN Log	(g2gips0) #8: initiating Main Mode
Feb 10 19:01:52 2014	VPN Log	(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014	VPN Log	(g2gips0) #8: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
Feb 10 19:01:52 2014	System Log	gateway_to_gateway.htm is changed.
Feb 10 19:09:08 2014	VPN Log	(g2gips0): deleting connection
Feb 10 19:09:08 2014	VPN Log	(g2gips0) #8: deleting state (STATE_MAIN_I1)
Feb 10 19:09:08 2014	VPN Log	added connection description (g2gips0)
Feb 10 19:09:08 2014	VPN Log	listening for IKE messages
Feb 10 19:09:08 2014	VPN Log	forgetting secrets
Feb 10 19:09:08 2014	VPN Log	loading secrets from '/etc/ipsec.d/ipsec.secrets'
Feb 10 19:09:09 2014	System Log	gateway_to_gateway.htm is changed.

The log for the SRP527W is full of this :

Dump pluto log message in syslog  : 
cat /var/log/messages |grep pluto
Jan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 02:29:39 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: STATE_MAIN_R1: sent MR1, expecting MI2
Jan  1 02:30:09 TLSR0254 authpriv.warn pluto[1156]: "G2" #186: max number of retransmissions (2) reached STATE_MAIN_R1
Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 
Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: responding to Main Mode
Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jan  1 02:30:19 TLSR0254 authpriv.warn pluto[1156]: "G2" #188: STATE_MAIN_R1: sent MR1, expecting MI2
Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: pending Quick Mode with 37.1.XXX.XXX "G2" took too long -- replacing phase 1
Jan  1 02:30:25 TLSR0254 authpriv.warn pluto[1156]: "G2" #189: initiating Main Mode to replace #185
Jan  1 02:30:49 TLSR0254 authpriv.warn pluto[1156]: "G2" #187: max number of retransmissions (2) reached STATE_MAIN_R1
Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=109 
Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: packet from 37.1.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan  1 02:30:59 TLSR0254 authpriv.warn pluto[1156]: "G2" #190: responding to Main Mode

Please help me to get things sorted. I just don't understand why nothing is written in the log about the SRP trying to make a connection. I also don't understand why suddenly the link is broken, and without changing anything, it can't get it back normally !!

Best Regards

mpyhala · ‎02-10-2014

g2metric_g2metric,

I recommend that you contact support for assistance with this issue. We would need to gather too much information to post here and it could take a very long time to troubleshoot.

www.cisco.com/go/sbsc

- Marty

SamirD · ‎02-11-2014

Next time this happens, reboot the rv082 and reconnect. If it works fine, it's just the rv082 needing regular reboots. A fact of life for smb routers by any manufacturer.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

g2metric_g2metric · ‎02-27-2014

Hi again,

Samir, i rebooted all the routers dozens of time when that happened, and it doesn't changed anything. Anyway, i called the Cisco Hotline. They could connect by VPN to RV082, but not the SRP, they didn't know why. Hardware or software failure.

Anyway, i bought another router.

Now i would like to use the SRP527W as a WIFI hotspot only. It doesn't work.

My settings are :

- Router defined as BRIDGE only (using Port lan 4 as Ethernet WAN)

- WAN Interface is assigned 192.168.0.246 / 24

- Gateway for the WAN interface is 192.168.0.254

- Ethernet cable is plugged from LAN4/WAN to my new Modem/Router on LAN3.

- Port LAN2 of SRP527W is defined with VLAN IP Address 192.168.15.254.

When connected to the SRP527W on LAN2, from my computer (192.168.15.200), i can't ping 192.168.0.246 neither 0.254 (gateway is set to 15.254)

Still, when connected to the SRP527W and with the Ping Dagnosis interface, pinging "192.168.0.254" shows "timed out".

I tried almost every configuration, none worked.

Please note that when connected from my computer directly to my new modem/router on port LAN3, with IP Address 192.168.0.200, i can access internet and ping everything. When set as DHCP too, i can grab an IP Address from my DHCP Windows Server.

So, why is the SRP527W unable to work in this configuration ? it seems nothing pass through WAN port.

If i'm right, there is only the WAN port that should be plugged to my modem router. With this settings, SSID should go directly to Internet, and for the other SSID, my LAN (through the modem/router). However, it doesn't work.

Could you help me please ? Thank you

mpyhala · ‎02-27-2014

g2metric_g2metric,

Here are some simple rules for using a router as a wireless AP.

1) Set to factory defaults

2) Give the router a static LAN IP in the same subnet as the gateway router (192.168.0.253 for example)

3) Turn OFF the DHCP server on the "AP"

4) Plug the AP and router LAN to LAN. The WAN port is no longer used on the "AP"

5) Connect to the router and log back into the AP at 192.168.0.253

6) Configure your wireless settings as desired

- Marty

g2metric_g2metric · ‎02-27-2014

Thank you very much for the tips ! I will try this tomorrow.

However, why would i need to turn off the AP DHCP server ?

When this modem router was used as a whole router, i had 2 SSID on it :

- 1 for guest

- 1 for my laptop users

The first 1 was using the local DHCP server on the AP (with a Privavte Class A Subnet)

The other one was simply using my Windows DHCP Server

Can't it be possible to recreate these 2 SSID like this ? This is a great advantage i found on the Cisco Config. I know with VLAN i can separate traffic but i prefer to have both security.

mpyhala · ‎02-27-2014

g2metric_g2metric,

The reason you need to disable the DHCP server is that it will conflict with your Windows DHCP server or other router if it provides DHCP. You could opt to leave DHCP enabled on the SRP and turn it off on the other servers.

Does the other router support VLANs? My instructions assume a single VLAN, so if you have more than that the gateway needs to support VLANs for it to work. You would need to create a trunk port to the gateway or connect a port for each VLAN.

What router did you replace the RV082 with?

- Marty

g2metric_g2metric · ‎02-27-2014

OK i see. The gateway supports VLAN yes. I bought a Draytek Vigor 2860N.

At first we chose a 887VA from Cisco but there weren't any real good GUI to configure it and the CP express was buggy as hell, we had to send it back to our supplier. With our VPN connection down, i didn't have the time to manage all the IOS conf by myself (my CCNA is old)

mpyhala · ‎02-27-2014

g2metric_g2metric,

If the Draytek can do a VLAN trunk to the SRP, I would enable DHCP for both the corporate and guest networks on the Windows server. I have seen several cases where people used a different DHCP server for guests and saw a variety of problems. The other option would be to let the SRP do DHCP for both networks, the important thing is to have only one device doing DHCP.

My original instructions should work well with the exception of adding the second SSID/VLAN.

Please let us know if this works or if you have any issues.

- Marty

g2metric_g2metric · ‎02-28-2014

Hi Marty,

Thank you very much for your help, today i managed to connect the SRP like you said.

Now I got my first SSID working, the one for my corporate users with laptop. I simply left the WAN interface with "DHCP Address", and as it is not connected, it never get one.

However, the second SSID doesn't work. I understand that one DHCP is better than 2 on the same network but at this step, it doesn't matter. The SSID is on another subnet, (10.33.....). As there is no WAN default route, i can't go on internet. Neither i think I can grab an IP Address from my Windows DHCP server.

When I click on the routing table, i can see what's wrong : no default route.

Here's a snippet :

- 192.168.XXX.XXX / 24 --- VLAN 1

- 10.33.XXX.XXX / 24 ---- VLAN 3

And that's it. No default route. It doesn't matter for the SSID 1 because as it grabs an IP from my DHCP Windows Server, I set in the option what is the default gateway.

But for SSID2, working with the AP DHCP, the gateway is, i think, the default route on WAN1. But WAN1 is not connected.

I tried to create a route manually, entering 0.0.0.0 but there's a popup saying "incorrect values". Is there a workaround for this ?

Thanks

mpyhala · ‎02-28-2014

g2metric_g2metric,

This is another good reason to use an external DHCP server instead of the SRP server in this case. The SRP will try to route all internet traffic to it's own WAN port, wheras an external DHCP server will have the correct gateway. At this point I cannot tell you that what you are attempting will not work (I have never attempted this), but my guess is that there is no workaround.

If you set a static IP on a 'guest' PC, it reaches the internet, correct?

- Marty

SamirD · ‎02-28-2014

Very strange with the rv082. The only other thing I would know to try would have been to change the firmware version (lower or higher) until it worked consistently.

I don't know anything about the SRP, so I can't help you much there.

On a side note, what do you plan to do with your rv082 now? I could use it if the VPN still works, but just not in your configuration.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com