rv042 vpn dropped

Answered Question
Jul 9th, 2009

Hi

Sometime we have a problem with some custumers with a  (all day  and don’t reconnect automatiquely). We’ve try many configuration and update, mtu size, new rv042 and it’s don’t resolve the problem

Other custumers  have this problem but  one time in a mouth or 2 or 3 mouth.

We’ve trying other router from another brand and resolve the problem in one place. We don’t want to change all custumers for the new router we want to keep rv042 because we like it and about 60 was install in many place.

Thanks for your help

Correct Answer by Steven DiStefano about 7 years 7 months ago

There are many hops between any two routers involved in a site-to-site (gateway to gateway) VPN and it is impossible to comment about what is happening in your case.   Are you using dead peer detection and keep alive on BOTH sides of this IPsec tunnel?   Are both sides RV042?  Do you have LOGs for the case where the tunnel fails and doesnt automatically reestablish as it should?

Let us know.

Steve DiStefano

SE Small Business Sales U.S.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Steven DiStefano Mon, 07/13/2009 - 06:08

There are many hops between any two routers involved in a site-to-site (gateway to gateway) VPN and it is impossible to comment about what is happening in your case.   Are you using dead peer detection and keep alive on BOTH sides of this IPsec tunnel?   Are both sides RV042?  Do you have LOGs for the case where the tunnel fails and doesnt automatically reestablish as it should?

Let us know.

Steve DiStefano

SE Small Business Sales U.S.

jcsoucy01 Mon, 07/13/2009 - 10:44

Hi

M.DiStefano

I'm using in both side RV042 and the same firmware (1.3.12.6-tm), DPD, Keep Alive is using. No we don't have access to log because the router don't knwow it was disconnected, when we look at vpn status, it ask connected but in reality it is not connected we are unable to ping the remote adress. we disconnect manually the connexion and then reconnect automatiquely and work after 3 second correctly. After a time same problem come back.

If you need other information don't hésitate.

Thanks for you help.

ciscodavew Wed, 07/15/2009 - 08:17

We are experiencing the same thing with the same firmware version. One end of the gateway-to-gateway VPN is set as Dynamic IP + E-mail Addr and the other as IP Only (both RV042s). Since web searches reveal that this problem has been occurring for well over a year, I'm wondering if anyone might have at least a workaround for this problem. If the problem won't be fixed in the firmware anytime soon (in this case, DPD is clearly broken), are there any suggestions for a client application that will send a keepalive through the tunnel and then automatically log into the RV042 web interface to disconnect the VPN when down for X number of seconds? I also have several RV042 routers deployed that I chose specifically for its unique capabilities and don't want to replace them, but I wasn't counting on this critical problem causing me to babysit multiple VPNs.

Te-Kai Liu Wed, 07/15/2009 - 10:10

Would you try the following workaround?

Enable DPD on both ends of the site-to-site VPN tunnel, but only enable Keep-Alive on the branch office, which is more likely to send traffic to the cental site. This way if the tunnel does disconnect for whatever reason, one side of the tunnel will take the responsibility to initiate the IKE to reconnect.

Ideally we want to have Keep-Alive enabled on both sides of the tunnel so as soon as a end point finds its peer dead, it can reconnect right away. But under certain timing, it might have caused the IKE to enter into a dead-lock state where both ends try to reconnect but no one can succeed.

ciscodavew Wed, 07/15/2009 - 11:22

One of the VPNs is already set up this way as I've tried different combinations to make this go away. With the static IP endpoint set without keep-alives, the problem seems to occur as often as it did with it set. The underlying DSL connectivity remains perfectly stable when the "outage" occurs. The VPN recovers gracefully when there is a glitch in the DSL connectivity or when the IP address changes, so this appears to be a unique issue that is not caused by connectivity problems.

Te-Kai Liu Thu, 07/16/2009 - 07:05

Could you or someone that has a similar issue open a ticket at the Tech Support so we can investigate the issue further and quickly come up with a fix? The product team needs some customers to verify the solution if it exists.

ciscodavew Thu, 07/16/2009 - 08:19

Since I hate jumping through the hoops and dealing with first tier support that usually goes along with opening trouble tickets, I am going to try something new to see if it works. All instances I've seen reported on the problem have been with a dynamic-to-static VPNs. I will be reconfiguring one of the tunnels as dynamic-to-dynamic despite one side actually having a static IP address. If this works, I won't pursue the matter further; if not, I'll either be opening a ticket or finding replacement hardware.

Thanks for the suggestions.

daviddun Thu, 07/16/2009 - 09:15

Good Morning,

To follow up on the earlier comment, I would call into the Cisco support to get a ticket open, this maybe something that can be resolved very easily....

Te-Kai Liu Fri, 07/31/2009 - 09:01

RV042 new firmware has been posted. Hope it can fix your VPN issues.

jcsoucy01 Thu, 09/17/2009 - 06:40

Hi

After 1 month and a half the problem still there. A little step was done the connexion stay more time than before but the router say VPN connected and the connexion was lost.

Thanks for your help.

pierre-rousset Wed, 10/21/2009 - 13:50

Unfortunately it doesn't fix my problem for me. I updated both RV042 to the 1.3.12.19-tm but I still have frequently some strange VPN disconnections...

Also I can't use the keep-alive setting because with this option enable on both side the VPN tunnel doesn't connect.

My configuration is same on both side, I attached it.

Any news about this issue?

Attachment: 
Te-Kai Liu Wed, 10/21/2009 - 14:02

Could you try checking the Keep Alive option only on one side of the tunnel?

pierre-rousset Wed, 10/21/2009 - 14:13

I just did it and the VPN is connected now. I'll launch a ping all night and have a look tomorrow.

Thanks

pierre-rousset Fri, 10/23/2009 - 14:20

After test even with the Keep Alive option checked, same problem : the VPN is showed "connected" on the web admin but not working. I waited 15minute and clicked on the button "disconnect" and the vpn started again to work correctly...


Any advises? What should I do (already 6months that we have this problem)?

Te-Kai Liu Fri, 10/23/2009 - 21:30

Would you please call into the Small Business Support team so we can gather more information on your environment in order to root cause the issue?

Alejandro Gallego Thu, 11/19/2009 - 06:23

Pierre,

If you current configuration is still the same as in the screenshot you posted, enable aggressive mode on the side whose "Remote Group" is based on FQDN. This allows a little more time for the tunnel to establish and also to reconnect should it go down. Also if possible please post the VPN log eventhough the log may not say that the tunnel is down. One thing that I have noticed is that if the units time is not correct we experience what you are describing (dont know why). I would be willing to bet that your VPN log will show a constant state of authentication over and over, and you would probably see ISAKMP key expiration, followed by renegotiation. Please keep us posted.

Remember that posts like yours allows us to find resolutions to problems based on FW releases or configuration. They do get noticed.

pierre-rousset Mon, 11/23/2009 - 14:16

Hi,

After few experiences, what I can say is : the last firmware (1.3.12.19-tm) is the worst one ever made for the RV042 (I'm sorry but I'm really becoming enough of all problems with this router...).

Few explains :

Actually the bigest problem is not to have a stable VPN but to have a VPN where all data go through inside.

I tried lot of configurations and in almost all cases I could get a VPN connected and I could ping the next router (trough the VPN). But if I'm doing a data transfert or a Remote Desktop on my TSE server : almost all data are lost. => VPN totaly unusable !

I finaly found a temporary working solution : I changed the MTU from auto to 1490 (my connection is normaly 1492 but it's the maximum value with I could get with fully working VPN). And I did a basic Gateway-to-Gateway VPN (see the screenshot 1). In this case I can use a Remote Desktop and do data transfert.

Few days after I tried to make the VPN more secure, so I decided to change the configuration (see the screenshot 2). The VPN get connected but same problem as before, impossible to do data transfert or RDP. I tried to change the MTU untill the value 1200 but still nothing is going normaly. I finaly roll back to the last working configuration...

I read on internet that I'm not alone to have a MTU issue. Cisco must do something quickly. Very bad publicity for you, and very bad for all RV042 users...

Thanks !

Attachment: 
Anonymous (not verified) Thu, 11/26/2009 - 04:00

Hi,

I get this error too with my site-to-site VPN.

In central office Keep Alive, NAT Traversal and DPD is activated.

In remote office Agressive mode, NAT Traversal and DPD is activated.

VPN is goes down and after few seconds goes up.

This is the log from RV042 from central office:

Nov 26 14:38:50 2009    VPN Log   ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Nov 26 14:38:50 2009    VPN Log   ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Nov 26 14:38:50 2009    VPN Log   ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Nov 26 14:38:50 2009    VPN Log   ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Nov 26 14:38:50 2009    VPN Log   Dead Peer Detection Start, DPD delay timer=10 sec  timeout=10 sec
Nov 26 14:38:50 2009    VPN Log   [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel Connected
Nov 26 14:38:50 2009    VPN Log   [Tunnel Negotiation Info] >>> Initiator Send Quick Mode 3rd packet
Nov 26 14:38:50 2009    VPN Log   [Tunnel Negotiation Info] Outbound SPI value = 71a9ceb5
Nov 26 14:38:50 2009    VPN Log   [Tunnel Negotiation Info] Inbound  SPI value = d7661b0f
Nov 26 14:38:50 2009    VPN Log   [Tunnel Negotiation Info] <<< Initiator Received Quick Mode 2nd packet
Nov 26 14:38:49 2009    VPN Log   [Tunnel Negotiation Info] >>> Initiator send Quick Mode 1st packet
Nov 26 14:38:49 2009    VPN Log   initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+NAT-T to replace #589

Software version on both routers is                  1.3.12.6-tm. We had no problem with connectivity between sites in this time.

daviddun Mon, 10/26/2009 - 05:20

Good Morning,

Please call into the SBSC 1.866.606.1866 for support on this problem.  The first steps after you have upgraded the firmware on both sides is to do a factory reset to the units.

After the reset, then setup your tunnels, if you have any problems then you need to call in for support.

pierre-rousset Wed, 11/18/2009 - 01:26

I followed your advise, I did a hard reset on both RV042 (firmware 1.3.12.19tm) and, it broke everything.

Now I still have an unstable VPN but the worst thing is I have also a MTU problem on the vpn (maximum size I can get is 1412bytes with ping -f -l 1412). This is a big problem because I we are using TSE on the tunnel and with this new MTU problem it's impossible to use TSE...


I read on internet I'm not alone to have MTU problem (but most of people are getting this problem on the internet connection and not on the vpn).


Do cisco I working on a new firmware? Do there is a solution? Where can I get a older firmware? Where should I call to report this problem (I'm in France).


Thanks

David Carr Wed, 11/18/2009 - 08:06

Here are the contact information for france, I am not sure which one of these contact numbers you would need to use, so I posted them all.  Hopefully this helps you out.

France

Cisco Systems France
11, rue Camille Desmoulins
92782 Issy les Moulineaux
Cedex 9, France
Phone: 0 800 770 400
+33(0)1 58 04 58 58
Fax: +33 (0)1 58 04 61 00

Cisco Systems France
Immeuble Danica
21 av. Georges Pompidou
La Part Dieu
69486 Lyon Cedex 03, France
Phone: 0800 770 400
+33(0)1 58 04 58 58
Fax: +33(0)4 72 91 30 30

Cisco Systems France
Centre d'Affaires d'Alizés
La Rigourdière
35510 Cesson Sevigné, France
Phone: 0 800 770 400
+33(0)1 58 04 58 58
Fax: +33(0)2 99 83 53 54


Cisco Systems France
Regus Centre
8, Esplanade Compans Caffarelli
31 000 Toulouse, France
Phone: 0800 770 400
+33(0)1 58 04 58 58
Fax: +33 (0)5 62 30 50 00

Cisco Systems France
Place des Halles
Tour Sebastopol, Bureau 313
3, quai Kleber
67080 Strasbourg cedex 3, France
Phone: 0800 770 400
+33(0)1 58 04 58 58
Fax: +33(0)3 88 23 70 00

Cisco Sophia Antipolis
Village d'Entreprises Green Side
400, avenue Roumanille
bâtiment 3
06410 Biot, France
Phone: 0 800 770 400
+33(0)1 58 04 58 58
Fax: +33(0)4 97 23 26 26

Actions

This Discussion