VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional

VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional

VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago - last edited Yesterday
Model: ER707-M2  
Hardware Version: V1
Firmware Version: 1.2.3 (or 1.2.2)

Hello,

 

I have a VPN tunnel between 2 ER707-M2 routers.  It was working really well and consistently providing about 200mb or bandwidth, but recently it has all but stopped working.  The only thing I believe I did was upgrade to the 1.2.3 firmware.

 

The VPN is still connecting and I can ping and ssh into devices through it.  Anything that requires any more bandwidth that that does not work.  (VNC, Remote Desktop, even HTTP)

 

I have rolled back to the 1.2.2 firmware but that did not fix the problem.

 

Any ideas what could be wrong?

  0      
  0      
#1
Options
1 Accepted Solution
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional-Solution
Monday - last edited Yesterday

  @Clive_A I have finanlly figured out what is causing the issue.  It is AT&T.  It turns out that if you connect the 707 router directly to their NID they let pretty much all traffic though.  Unfortunately, they only allow about 500k of total traffic to get through and then they cut it off.  If you insert their router device between the nid and the 707 everything works as expected.  

 

This seems stupid and crazy but I guess the solution is to keep their router in place.

 

Thanks for the help.

Recommended Solution
  0  
  0  
#12
Options
11 Reply
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

Hi @Bonfigleo 

Thanks for posting in our business forum.

If you roll back the firmware and the problem persists, it is more likely to be a problem with your ISP.

 

In your description, you stated that you have a 200Mbps speed between two sites which means both sites can reach at least 200Mbps. I am not sure of your region but this high upload bandwidth is rare in my region.

It usually allows you 10% of the DL. If you need more, you need to pay extra for the enterprise plan.

 

Regarding the VPN, as long as you have ping and ssh working, it means the VPN tunnel is still up and running.

What you can do at most, is to redo the VPN connection and see if there is any improvement.

I cannot rule out that you have a setup error in the IP arranging. It may be a problem with that and I would recommend you examine everything again.

 

This does not look like a software issue with the firmware based on the given information.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  1  
  1  
#2
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago - last edited a week ago

  @Clive_A I guess my message was not clear.  Both routers have > 1gps fiber.  This vpn was consistently getting 200mbps.  As you can see below, the speed between the sites is over 500mbps without the vpn.

 

I have redone the VPN auto, manual and even as a client-to-site.  The result is the same.  Given that the tunnel is connecting and some small amount of traffic is getting through, it seems like it has to be some misconfiguration on one or both or the routers causing the issue.  One thing that I have noticed is the following odd behavior with iperf.  When I start a test, it gets a small amount of data through in the first second and then nothing for the rest of the test.

 

Connecting to host 192.168.2.5, port 5201

[  5] local 192.168.2.40 port 50635 connected to 192.168.2.5 port 5201

[ ID] Interval           Transfer     Bitrate

[  5]   0.00-1.01   sec   384 KBytes  3.13 Mbits/sec                  

[  5]   1.01-2.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   2.01-3.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   3.01-4.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   4.01-5.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   5.01-6.00   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   6.00-7.00   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   7.00-8.00   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   8.00-9.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   9.01-10.00  sec  0.00 Bytes  0.00 bits/sec                  

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bitrate

[  5]   0.00-10.00  sec   384 KBytes   315 Kbits/sec                  sender

[  5]   0.00-10.05  sec   128 KBytes   104 Kbits/sec                  receiver

 

 

For reference, here is the iperf directly over the internet with no vpn

 

[  5] local 192.168.0.2 port 43636 connected to port 5201

[ ID] Interval           Transfer     Bitrate         Retr  Cwnd

[  5]   0.00-1.00   sec  37.5 MBytes   314 Mbits/sec    6   6.53 MBytes       

[  5]   1.00-2.00   sec  61.4 MBytes   515 Mbits/sec    0   6.73 MBytes       

[  5]   2.00-3.00   sec  60.9 MBytes   511 Mbits/sec    0   6.73 MBytes       

[  5]   3.00-4.00   sec  62.0 MBytes   520 Mbits/sec    0   6.73 MBytes       

[  5]   4.00-5.00   sec  31.8 MBytes   266 Mbits/sec  1979   4.71 MBytes       

[  5]   5.00-6.00   sec  60.8 MBytes   510 Mbits/sec    0   4.71 MBytes       

[  5]   6.00-7.00   sec  58.9 MBytes   494 Mbits/sec    0   4.71 MBytes       

[  5]   7.00-8.00   sec  58.9 MBytes   494 Mbits/sec    0   4.71 MBytes       

[  5]   8.00-9.00   sec  57.0 MBytes   478 Mbits/sec  1079   3.32 MBytes       

[  5]   9.00-10.00  sec  58.5 MBytes   490 Mbits/sec    0   3.32 MBytes       

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bitrate         Retr

[  5]   0.00-10.00  sec   548 MBytes   459 Mbits/sec  3064             sender

[  5]   0.00-10.05  sec   547 MBytes   456 Mbits/sec                  receiver

  0  
  0  
#3
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

Hi @Bonfigleo 

Thanks for posting in our business forum.

Bonfigleo wrote

  @Clive_A I guess my message was not clear.  Both routers have > 1gps fiber.  This vpn was consistently getting 200mbps.  As you can see below, the speed between the sites is over 500mbps without the vpn.

 

I have redone the VPN auto, manual and even as a client-to-site.  The result is the same.  Given that the tunnel is connecting and some small amount of traffic is getting through, it seems like it has to be some misconfiguration on one or both or the routers causing the issue.  One thing that I have noticed is the following odd behavior with iperf.  When I start a test, it gets a small amount of data through in the first second and then nothing for the rest of the test.

 

Connecting to host 192.168.2.5, port 5201

[  5] local 192.168.2.40 port 50635 connected to 192.168.2.5 port 5201

[ ID] Interval           Transfer     Bitrate

[  5]   0.00-1.01   sec   384 KBytes  3.13 Mbits/sec                  

[  5]   1.01-2.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   2.01-3.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   3.01-4.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   4.01-5.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   5.01-6.00   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   6.00-7.00   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   7.00-8.00   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   8.00-9.01   sec  0.00 Bytes  0.00 bits/sec                  

[  5]   9.01-10.00  sec  0.00 Bytes  0.00 bits/sec                  

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bitrate

[  5]   0.00-10.00  sec   384 KBytes   315 Kbits/sec                  sender

[  5]   0.00-10.05  sec   128 KBytes   104 Kbits/sec                  receiver

 

 

For reference, here is the iperf directly over the internet with no vpn

 

[  5] local 192.168.0.2 port 43636 connected to 172.13.48.177 port 5201

[ ID] Interval           Transfer     Bitrate         Retr  Cwnd

[  5]   0.00-1.00   sec  37.5 MBytes   314 Mbits/sec    6   6.53 MBytes       

[  5]   1.00-2.00   sec  61.4 MBytes   515 Mbits/sec    0   6.73 MBytes       

[  5]   2.00-3.00   sec  60.9 MBytes   511 Mbits/sec    0   6.73 MBytes       

[  5]   3.00-4.00   sec  62.0 MBytes   520 Mbits/sec    0   6.73 MBytes       

[  5]   4.00-5.00   sec  31.8 MBytes   266 Mbits/sec  1979   4.71 MBytes       

[  5]   5.00-6.00   sec  60.8 MBytes   510 Mbits/sec    0   4.71 MBytes       

[  5]   6.00-7.00   sec  58.9 MBytes   494 Mbits/sec    0   4.71 MBytes       

[  5]   7.00-8.00   sec  58.9 MBytes   494 Mbits/sec    0   4.71 MBytes       

[  5]   8.00-9.00   sec  57.0 MBytes   478 Mbits/sec  1079   3.32 MBytes       

[  5]   9.00-10.00  sec  58.5 MBytes   490 Mbits/sec    0   3.32 MBytes       

- - - - - - - - - - - - - - - - - - - - - - - - -

[ ID] Interval           Transfer     Bitrate         Retr

[  5]   0.00-10.00  sec   548 MBytes   459 Mbits/sec  3064             sender

[  5]   0.00-10.05  sec   547 MBytes   456 Mbits/sec                  receiver

Diagram along or before you post with the IPs.

 

IPsec, site-to-site, right?

Both are updated to 1.2.3?

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#4
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

  @Clive_A Yes, both are on 1.2.3.  IPSEC site-to-site with all the defaults either auto or manual.  I should also mention that they are both on a single controller.

  0  
  0  
#5
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

Hi @Bonfigleo 

Thanks for posting in our business forum.

Bonfigleo wrote

  @Clive_A Yes, both are on 1.2.3.  IPSEC site-to-site with all the defaults either auto or manual.  I should also mention that they are both on a single controller.

Controller just controls. It does not involve in the speed problems.f

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#6
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago - last edited a week ago

Bonfigleo wrote

  @Clive_A Yes, both are on 1.2.3.  IPSEC site-to-site with all the defaults either auto or manual.  I should also mention that they are both on a single controller.

  @Bonfigleo 

 

My router manages about 400 Mbps with the same firmware. What encryption do you use? I would recommend

 

IKEv2
phase 1 SHA-256 - AES256 - DH14
phase 2 ESP - SHA-256 - AES256

 

My experience is that these settings work best on this router.

 

  1  
  1  
#7
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

  @MR.S Thanks for the suggestion.  I used those setting and have the same result.

 

Router 1:  (Hardware Version 1.0 FW: 1.2.3 Build 20240822 Rel.52946)

Router 2:  (Hardware Version 1.2 FW: 1.2.3 Build 20240822 Rel.52946)

 

Name: WI2FL (REMOTE_WI2FL on Router 2)

Status: Enable

Purpose: Site-to-Site VPN

VPN Type: Manual IPsec

Remote Gateway: xxx.xxx.xxx.xxx (Router 1 IP on Router 2)

Remote Subnet: 192.168.2.0/24 (192.168.0.0/24 on Router 2)WAN: 2.5G WAN1

Local Network Type: Network

Local Networks: All

Pre-shared Key: xxxxxxxxxxxxxxxxxxx

 

Phase-1 Settings

IKE Protocol Version: IKEv2

Proposal: SHA-256 - AES256 - DH14

Negotiation Mode: Responder Mode (Initiator Mode on Router 2 though I have tried swithcing these)

Local ID Type: IP Address

Remote ID Type:  IP Adddress

SA Lifetime: 2880

DPD: Enable

DPD Interval: 10

 

Phase-2 Settings

Encapsulation Mod:  Tunnel Mode

Proposal: ESP - SHA-256 - AES256

PFS: none

SA Lifetime: 28800

  0  
  0  
#8
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

  @Bonfigleo 

 

It probably has nothing to do with it, but I use Initiator Mode on both routers.

 

  0  
  0  
#9
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

  @MR.S  et al

 

I reported a similar bug with ER707 v1.2.3 running IPSEC over L2TP to some ER605v1.  Tunnels don't even come up anymore, but downgrading to 1.2.2 again fixes everything. These were client-server connections not site-site, but I don't think matters either. Zero changes to er605 endpoints.

 

Something is borked with IPSEC in the new 1.2.3 load is my educated guess.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#10
Options
Re:VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
a week ago

Hi @Bonfigleo 

Thanks for posting in our business forum.

Since the dougmac has come to comment, we noticed his report which seems to be the first one. Based on the preliminary test we have done in the lab without touching his backup, we did not reproduce the issue.

Would love to learn more from your problem if it is possible.

 

We will require a backup of both sites if you can provide it.

Controller version if there is one as we need to import the backups.

A network diagram with IP specified.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#11
Options