ER605 VPN Log showing traffic with 169.254.0.0/16 subnet
Hello. I am struggling with the slow VPN connection with my ER605's. I have two locations and I set one location (A) to VPN to the other location (B) using L2TP/IPSec so I can manage devices in B from my home in A. I'm so frustrated of the slowness of my access to devices in B that I looked at the log in the ER605 in B. (BTW, both ER605 have the same HW and Firmware versions. The log in B shows that there are traffic requests from subnet 169.254.0.0/16. That is a subnet for devices which does not know which device that traffic came from!!! I think this is what's causing the latency in the connection from A to B.
What could be causing this? Shall I change a VPN Protocol?
In the latest firmware update, there is now a GRE VPN section but I don't know how to set it to connect location A to B. Maybe that is a better option for me.
Thanks in advance.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @firefox111
Thanks for posting in our business forum.
firefox111 wrote
The download I showed were my ISP's actual bandwidth. I don't download between the two locations (well, sometimes..). My concern here is when I try to connect to location B's ER605 management web interface from location A, it times out after I enter my login credentials.
It logs out after 6 minutes by default. If you want to change that, (only) in standalone mode, web idle timeout, change that.
firefox111 wrote
Then looking at location B's ER605 log, I see a management attempt from a 169.254.11.** IP Address! That is my concern. Is that why my attempt to manage the ER605 in location B does not go through?
It is okay to see that IP because it is what the firmware writes. I have confirmed it with you in the previous reply.
firefox111 wrote
Well, I think this discussion is nowhere if no one can explain the 169.254.0.0/16 subnet in the log......
Is there something wrong with the forum server? I did reply to your question regarding this subnet.
Go above and read what's been said on Thursday. It's been explained in that thread linked. That's why I remember it was answered and there is no point in me repeating this to you as there is an explanation.
ACL State was added to the previous firmware. Not 2.2.2. It does not make a problem.
firefox111 wrote
There is a discussion of 2.2.2's issue with HTTPS in another thread! Maybe that is my issue! I updated to 2.2.2 which I donloaded from the normal dowload center page and no warning on the forcing of HTTPS! Why???? Was 2.2.2 been tested in the lab before a public release?????
When the dev releases this firmware, it never came across their mind that there are people literally turning off the HTTPS. Usually, we recommend you proceed with the HTTPS. Reason why HTTPS, you can Google it - HTTP VS HTTPS.
2.2.2 is a version focusing on security fixes and it changes the security-related settings. So, if you have disabled HTTPS, then there is no way to access it. Refer to the related solution post.
- Copy Link
- Report Inappropriate Content
Hi @firefox111
Thanks for posting in our business forum.
How slow? What is the speed you get? How do you verify and determine it is slow?
How about your ISP speed? Both sites, DL and UL speed.
Don't get frustrated before you start to learn about the differences between the models.
Don't get frustrated before you pick a good VPN protocol.
About this subnet, screenshot it. Is it in the log?? I don't think so. Did you find it in the Routing Tables?
- Copy Link
- Report Inappropriate Content
Okay. I have prepared snippets to show what is happening. Note that the VPN connection is up and established from Location A to Location B with 192.168.5.0/24 in A and 192.168.4.0/24 in B. I hope these snippets will be accepted by the forum server.
I'll show the L2TP VPN configuration of the ER605 in Location A to connect to ER605 in Location B;
The Tunnel List in both A and B;
The speedtest.net statistics of my Internet connections in Location A and B.
Then in Location A, I tried to log in to Location B's ER605 management interface at 2023-11-22 21:19:03. BTW, I don't even get the management interface.... It just times out.
Then finally I remotely logged in to a server in Location B to open the ER605 management interface at 2023-11-22 21:20:44. As you can see, the IP Address is 169.254.11.22. Where is B's ER605 getting that?
Even coming from an iPad with 5G Cellular connection via L2TP connection to ER605 in B, when I try to open B's management interface, I just get a round and round cursor and finally times out. And again, I see the 169.254.*.* IP in the log!
Here are the snippets:
- Copy Link
- Report Inappropriate Content
Here's the Log list in B's ER605.
======= How come the forum server is removing the snippet for the log????
Do I have to reduce the size of the snippet?
====================================================
Well, I give up! I cannot attach the snippet for the Log list.
- Copy Link
- Report Inappropriate Content
Hi @firefox111
Thanks for posting in our business forum.
In regard to 169.254/16, I remember this is answered. So, indeed, there is a link: https://community.tp-link.com/en/business/forum/topic/274578
So, if you download files based on the speed test you gave at A, and DL file from B, you get a 10Mbps max. At B, download from A, you get 50.
How slow is your VPN speed?
- Copy Link
- Report Inappropriate Content
The download I showed were my ISP's actual bandwidth. I don't download between the two locations (well, sometimes..). My concern here is when I try to connect to location B's ER605 management web interface from location A, it times out after I enter my login credentials. Then looking at location B's ER605 log, I see a management attempt from a 169.254.11.** IP Address! That is my concern. Is that why my attempt to manage the ER605 in location B does not go through?
I noticed after I updated the firmware of both ER605 to 2.2.2 Build 20231017 Rel.68869, my connections to devices (cameras, home assistant, access point, server, etc..) have slowed down!
The latest update brought more features and functions: USB can now be a Storage for automated backup, there is a GRE VPN option, in the Firewall "Access Control" there is now option for "Stat: New, Established, Invalid, or Related", etc.. This new "Access Control" option left all my rules to have nothing in the "State" option. Is that going to be a problem???
Well, I think this discussion is nowhere if no one can explain the 169.254.0.0/16 subnet in the log......
- Copy Link
- Report Inappropriate Content
There is a discussion of 2.2.2's issue with HTTPS in another thread! Maybe that is my issue! I updated to 2.2.2 which I donloaded from the normal dowload center page and no warning on the forcing of HTTPS! Why???? Was 2.2.2 been tested in the lab before a public release?????
- Copy Link
- Report Inappropriate Content
Hi @firefox111
Thanks for posting in our business forum.
firefox111 wrote
The download I showed were my ISP's actual bandwidth. I don't download between the two locations (well, sometimes..). My concern here is when I try to connect to location B's ER605 management web interface from location A, it times out after I enter my login credentials.
It logs out after 6 minutes by default. If you want to change that, (only) in standalone mode, web idle timeout, change that.
firefox111 wrote
Then looking at location B's ER605 log, I see a management attempt from a 169.254.11.** IP Address! That is my concern. Is that why my attempt to manage the ER605 in location B does not go through?
It is okay to see that IP because it is what the firmware writes. I have confirmed it with you in the previous reply.
firefox111 wrote
Well, I think this discussion is nowhere if no one can explain the 169.254.0.0/16 subnet in the log......
Is there something wrong with the forum server? I did reply to your question regarding this subnet.
Go above and read what's been said on Thursday. It's been explained in that thread linked. That's why I remember it was answered and there is no point in me repeating this to you as there is an explanation.
ACL State was added to the previous firmware. Not 2.2.2. It does not make a problem.
firefox111 wrote
There is a discussion of 2.2.2's issue with HTTPS in another thread! Maybe that is my issue! I updated to 2.2.2 which I donloaded from the normal dowload center page and no warning on the forcing of HTTPS! Why???? Was 2.2.2 been tested in the lab before a public release?????
When the dev releases this firmware, it never came across their mind that there are people literally turning off the HTTPS. Usually, we recommend you proceed with the HTTPS. Reason why HTTPS, you can Google it - HTTP VS HTTPS.
2.2.2 is a version focusing on security fixes and it changes the security-related settings. So, if you have disabled HTTPS, then there is no way to access it. Refer to the related solution post.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 745
Replies: 7
Voters 0
No one has voted for it yet.