Community discussions

 
akarpas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Tue Mar 20, 2018 4:46 pm

some of ipsec tunels stopped working

Fri May 18, 2018 2:39 pm

I have ipsec tunnels configured , they were working fine for a long time , the sat few days every morning i come to office some of ipsec tunnels are not working
after router restart they comes's back . On the next morning the same. This morning total disaster. Router was upgraded to newest version 6.42.2 tyhe same problem so downgraded to bug fix version 6.40.8 some of vpn tunnels came back but not all.
Phase 1 and 2 pass. Connection established, NAT ok . Nothing was changed from then it was working fine.
What could be a problem??????
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1028
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: some of ipsec tunels stopped working

Fri May 18, 2018 3:08 pm

I suspect your IPSec tunnels go down during the evening as there are no "interesting" traffic flowing through. There should be no reason to restart routers, a ping through the tunnel should suffice.

Without seeing your config, very difficult to say what your current problem is
MTCNA, MTCTCE, MTCRE & MTCINE
 
tippenring
Member Candidate
Member Candidate
Posts: 167
Joined: Thu Oct 02, 2014 8:54 pm
Location: St Louis MO
Contact:

Re: some of ipsec tunels stopped working

Fri May 18, 2018 6:52 pm

I've noticed a recent change around 6.42. Previously, if one side was set to tunnel 10.10.0.0/24, and the other side was set for 10.0.0.0/16, the side with the /16 defined would accept the /24 proposal.
Around 6.42, it seems that flexibility disappeared. Now both routers have to have matching subnet definitions.
 
akarpas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Tue Mar 20, 2018 4:46 pm

Re: some of ipsec tunels stopped working

Sun May 20, 2018 6:27 pm

I suspect your IPSec tunnels go down during the evening as there are no "interesting" traffic flowing through. There should be no reason to restart routers, a ping through the tunnel should suffice.

Without seeing your config, very difficult to say what your current problem is
Thanks for your sarcasm seems to be you are rude geek, i fount the problem, some nat rules created before did problems so removed them problem fixed.
 
akarpas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 56
Joined: Tue Mar 20, 2018 4:46 pm

Re: some of ipsec tunels stopped working

Sun May 20, 2018 6:29 pm

I've noticed a recent change around 6.42. Previously, if one side was set to tunnel 10.10.0.0/24, and the other side was set for 10.0.0.0/16, the side with the /16 defined would accept the /24 proposal.
Around 6.42, it seems that flexibility disappeared. Now both routers have to have matching subnet definitions.
I always use the same subnets , tomorrow setting up new tunnel going to test your findings. Thanks man!!!
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1028
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: some of ipsec tunels stopped working

Sun May 20, 2018 6:30 pm

I suspect your IPSec tunnels go down during the evening as there are no "interesting" traffic flowing through. There should be no reason to restart routers, a ping through the tunnel should suffice.

Without seeing your config, very difficult to say what your current problem is
Thanks for your sarcasm seems to be you are rude geek, i fount the problem, some nat rules created before did problems so removed them problem fixed.
WTF???
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 2580
Joined: Mon Dec 04, 2017 9:19 pm

Re: some of ipsec tunels stopped working

Sun May 20, 2018 6:41 pm

I suspect your IPSec tunnels go down during the evening as there are no "interesting" traffic flowing through. There should be no reason to restart routers, a ping through the tunnel should suffice.

Without seeing your config, very difficult to say what your current problem is
Thanks for your sarcasm seems to be you are rude geek, i fount the problem, some nat rules created before did problems so removed them problem fixed.
English is not my native language, can you pinpoint which part of @CZFan's post you've found sarcastic? To me it seemed like a constructive and neutral statemement, some tunnelling protocols do tear down if idle for an extended period of time and sometimes they have a problem to re-establish because they need the triggering traffic to come in the "right" direction. For example, if the traffic is for a peer behind an uncontrolled NAT, it is physically impossible for the peer on public address to re-establish the connection.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: mrmut, msatter and 54 guests