Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Tunnel hangs after Smart Link Backup Failover

I'm using a RV082 (v4.2.3.03 ) in a  branch office to establish a VPN tunnel to our main office firewall (pfsense 2.1.4).

As long as I'm using a single WAN connection on the RV082, everything runs fine. When I add a second WAN in "Smart Link Backup" mode, the VPN connection "hangs" (shows "connected" but IP traffic fails) after almost each WAN reconnect (our ISP reconnects every 24h).

WAN Setup:
WAN1 PPPoE with Keep Alive redial: 30s. Auto MTU.
WAN2 PPPoE with Keep Alive redial: 30s. Auto MTU
WAN2 gets the same IP address if WAN1 goes down.

Dual WAN Setup:
Smart Link Backup: WAN1 primary
Fallback after: 30s
WAN1/WAN2 Sercice Detection: Retries: 5, Timeout: 60s, Failover: Keep log and remove connection

VPN Setup:
Tunnel Interface: WAN1
Security Type: "IP only"
IKE-PSK, Group2, AES-256, SHA1
Phas1: 28800s
Phase2: 3600s
main mode
Kee-Alive on
DPD: 10s
Tunnel Backup: Interface WAN2, same remote IP, Idle Time 60s

Logs:
After a WAN reconnect I get following log entries in the RV082:
Jul 17 06:49:17 2014 System Log [pppoe] Connecting PPPoE socket: 88:43:e1:e5:be:41 3dcd eth2 
Jul 17 06:49:17 2014 System Log [pppoe] Got connection: 3dcd 
Jul 17 06:49:19 2014 VPN Log packet from [Remote IP]:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK 
Jul 17 06:49:55 2014 Kernel last message repeated 2 times 

and the pfsense:
racoon: [SITE]: [Remote IP] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP [Remote IP][0]->[Local IP][0]
racoon: ERROR: phase1 negotiation failed due to time up. f5e56cfa623a88f0:0000000000000000
racoon: [SITE]: [Remote IP] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
racoon: INFO: delete phase 2 handler.
racoon: [SITE]: [Remote IP] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP [Remote IP][0]->[Local IP][0]
racoon: INFO: begin Identity Protection mode.

 

This repeats until I open and save the VPN settings on the RV082. Thereafter the VPN is up again:
Jul 17 09:03:25 2014 System Log [pppoe] Connecting PPPoE socket: 88:43:e1:e5:be:41 5b40 eth2 
Jul 17 09:03:25 2014 System Log [pppoe] Got connection: 5b40 
Jul 17 09:03:30 2014 VPN Log packet from [Remote IP]:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK 
Jul 17 09:03:36 2014 VPN Log (g2gips0) #5: [Tunnel Established] ISAKMP SA established 
Jul 17 09:03:36 2014 System Log gateway_to_gateway.htm is changed. 
Jul 17 09:03:37 2014 VPN Log (g2gips0) #6: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x0ddb99e0 <0x9095ae0c} 
Jul 17 09:03:37 2014 VPN Log (g2gips0) #7: [Tunnel Established] IPsec SA established {ESP=>0x01128af2 <0x8ccce43c} 
Jul 17 09:03:40 2014 VPN Log (g2gips0) #8: [Tunnel Established] sent MR3, ISAKMP SA established 
Jul 17 09:03:57 2014 System Log network.htm is changed. 
Jul 17 09:04:01 2014 System Log DMZ connection is up : 0.0.0.0/255.255.255.0 on eth2 

 

Any ideas how to solve this?

  • Small Business Routers
2 REPLIES
New Member

adelphiconsult, My name is

 

This is why logs are indicating that phase 2 never sees a phase 1 connection. Phase 1 times out because it's unable to find the correct WAN ip.

When the connection fails from one public ip and establishes another connection  with a different public ip the pfsense  VPN will not now of the new public. The one way it will know is by having the tunnel backup feature on both ends of the tunnel. 

First you need 2 devices on both ends that support VPN failover. The one device i can recall that has this feature is the RV320. With two RV320 on both ends would be able do VPN failover with no issues. 

 

 

 

 

New Member

Hi Ismael!In my case the WAN

Hi Ismael!

In my case the WAN ip doesn't change: I've got a fixed IP that works on both physical DSL lines. So if WAN1 fails, WAN2 will establish the connection with the same IP. Therefore I don't understand why the VPN gets stuck. It should be almost the same as a WAN1 without failover...

240
Views
0
Helpful
2
Replies