VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
VPN Tunnel between 2 ER707-M2 routers is suddenly barely functional
Hello,
I have a VPN tunnel between 2 ER707-M2 routers. It was working really well and consistently providing about 200mb or bandwidth, but recently it has all but stopped working. The only thing I believe I did was upgrade to the 1.2.3 firmware.
The VPN is still connecting and I can ping and ssh into devices through it. Anything that requires any more bandwidth that that does not work. (VNC, Remote Desktop, even HTTP)
I have rolled back to the 1.2.2 firmware but that did not fix the problem.
Any ideas what could be wrong?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
@Clive_A I have finanlly figured out what is causing the issue. It is AT&T. It turns out that if you connect the 707 router directly to their NID they let pretty much all traffic though. Unfortunately, they only allow about 500k of total traffic to get through and then they cut it off. If you insert their router device between the nid and the 707 everything works as expected.
This seems stupid and crazy but I guess the solution is to keep their router in place.
Thanks for the help.
- Copy Link
- Report Inappropriate Content
Hi @Bonfigleo
Thanks for posting in our business forum.
If you roll back the firmware and the problem persists, it is more likely to be a problem with your ISP.
In your description, you stated that you have a 200Mbps speed between two sites which means both sites can reach at least 200Mbps. I am not sure of your region but this high upload bandwidth is rare in my region.
It usually allows you 10% of the DL. If you need more, you need to pay extra for the enterprise plan.
Regarding the VPN, as long as you have ping and ssh working, it means the VPN tunnel is still up and running.
What you can do at most, is to redo the VPN connection and see if there is any improvement.
I cannot rule out that you have a setup error in the IP arranging. It may be a problem with that and I would recommend you examine everything again.
This does not look like a software issue with the firmware based on the given information.
- Copy Link
- Report Inappropriate Content
@Clive_A I guess my message was not clear. Both routers have > 1gps fiber. This vpn was consistently getting 200mbps. As you can see below, the speed between the sites is over 500mbps without the vpn.
I have redone the VPN auto, manual and even as a client-to-site. The result is the same. Given that the tunnel is connecting and some small amount of traffic is getting through, it seems like it has to be some misconfiguration on one or both or the routers causing the issue. One thing that I have noticed is the following odd behavior with iperf. When I start a test, it gets a small amount of data through in the first second and then nothing for the rest of the test.
Connecting to host 192.168.2.5, port 5201
[ 5] local 192.168.2.40 port 50635 connected to 192.168.2.5 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.01 sec 384 KBytes 3.13 Mbits/sec
[ 5] 1.01-2.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 2.01-3.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 3.01-4.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 4.01-5.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 5.01-6.00 sec 0.00 Bytes 0.00 bits/sec
[ 5] 6.00-7.00 sec 0.00 Bytes 0.00 bits/sec
[ 5] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec
[ 5] 8.00-9.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 9.01-10.00 sec 0.00 Bytes 0.00 bits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 384 KBytes 315 Kbits/sec sender
[ 5] 0.00-10.05 sec 128 KBytes 104 Kbits/sec receiver
For reference, here is the iperf directly over the internet with no vpn
[ 5] local 192.168.0.2 port 43636 connected to port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 37.5 MBytes 314 Mbits/sec 6 6.53 MBytes
[ 5] 1.00-2.00 sec 61.4 MBytes 515 Mbits/sec 0 6.73 MBytes
[ 5] 2.00-3.00 sec 60.9 MBytes 511 Mbits/sec 0 6.73 MBytes
[ 5] 3.00-4.00 sec 62.0 MBytes 520 Mbits/sec 0 6.73 MBytes
[ 5] 4.00-5.00 sec 31.8 MBytes 266 Mbits/sec 1979 4.71 MBytes
[ 5] 5.00-6.00 sec 60.8 MBytes 510 Mbits/sec 0 4.71 MBytes
[ 5] 6.00-7.00 sec 58.9 MBytes 494 Mbits/sec 0 4.71 MBytes
[ 5] 7.00-8.00 sec 58.9 MBytes 494 Mbits/sec 0 4.71 MBytes
[ 5] 8.00-9.00 sec 57.0 MBytes 478 Mbits/sec 1079 3.32 MBytes
[ 5] 9.00-10.00 sec 58.5 MBytes 490 Mbits/sec 0 3.32 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 548 MBytes 459 Mbits/sec 3064 sender
[ 5] 0.00-10.05 sec 547 MBytes 456 Mbits/sec receiver
- Copy Link
- Report Inappropriate Content
Hi @Bonfigleo
Thanks for posting in our business forum.
Bonfigleo wrote
@Clive_A I guess my message was not clear. Both routers have > 1gps fiber. This vpn was consistently getting 200mbps. As you can see below, the speed between the sites is over 500mbps without the vpn.
I have redone the VPN auto, manual and even as a client-to-site. The result is the same. Given that the tunnel is connecting and some small amount of traffic is getting through, it seems like it has to be some misconfiguration on one or both or the routers causing the issue. One thing that I have noticed is the following odd behavior with iperf. When I start a test, it gets a small amount of data through in the first second and then nothing for the rest of the test.
Connecting to host 192.168.2.5, port 5201
[ 5] local 192.168.2.40 port 50635 connected to 192.168.2.5 port 5201
[ ID] Interval Transfer Bitrate
[ 5] 0.00-1.01 sec 384 KBytes 3.13 Mbits/sec
[ 5] 1.01-2.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 2.01-3.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 3.01-4.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 4.01-5.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 5.01-6.00 sec 0.00 Bytes 0.00 bits/sec
[ 5] 6.00-7.00 sec 0.00 Bytes 0.00 bits/sec
[ 5] 7.00-8.00 sec 0.00 Bytes 0.00 bits/sec
[ 5] 8.00-9.01 sec 0.00 Bytes 0.00 bits/sec
[ 5] 9.01-10.00 sec 0.00 Bytes 0.00 bits/sec
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate
[ 5] 0.00-10.00 sec 384 KBytes 315 Kbits/sec sender
[ 5] 0.00-10.05 sec 128 KBytes 104 Kbits/sec receiver
For reference, here is the iperf directly over the internet with no vpn
[ 5] local 192.168.0.2 port 43636 connected to 172.13.48.177 port 5201
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 37.5 MBytes 314 Mbits/sec 6 6.53 MBytes
[ 5] 1.00-2.00 sec 61.4 MBytes 515 Mbits/sec 0 6.73 MBytes
[ 5] 2.00-3.00 sec 60.9 MBytes 511 Mbits/sec 0 6.73 MBytes
[ 5] 3.00-4.00 sec 62.0 MBytes 520 Mbits/sec 0 6.73 MBytes
[ 5] 4.00-5.00 sec 31.8 MBytes 266 Mbits/sec 1979 4.71 MBytes
[ 5] 5.00-6.00 sec 60.8 MBytes 510 Mbits/sec 0 4.71 MBytes
[ 5] 6.00-7.00 sec 58.9 MBytes 494 Mbits/sec 0 4.71 MBytes
[ 5] 7.00-8.00 sec 58.9 MBytes 494 Mbits/sec 0 4.71 MBytes
[ 5] 8.00-9.00 sec 57.0 MBytes 478 Mbits/sec 1079 3.32 MBytes
[ 5] 9.00-10.00 sec 58.5 MBytes 490 Mbits/sec 0 3.32 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 548 MBytes 459 Mbits/sec 3064 sender
[ 5] 0.00-10.05 sec 547 MBytes 456 Mbits/sec receiver
Diagram along or before you post with the IPs.
IPsec, site-to-site, right?
Both are updated to 1.2.3?
- Copy Link
- Report Inappropriate Content
@Clive_A Yes, both are on 1.2.3. IPSEC site-to-site with all the defaults either auto or manual. I should also mention that they are both on a single controller.
- Copy Link
- Report Inappropriate Content
Hi @Bonfigleo
Thanks for posting in our business forum.
Bonfigleo wrote
@Clive_A Yes, both are on 1.2.3. IPSEC site-to-site with all the defaults either auto or manual. I should also mention that they are both on a single controller.
Controller just controls. It does not involve in the speed problems.f
- Copy Link
- Report Inappropriate Content
Bonfigleo wrote
@Clive_A Yes, both are on 1.2.3. IPSEC site-to-site with all the defaults either auto or manual. I should also mention that they are both on a single controller.
My router manages about 400 Mbps with the same firmware. What encryption do you use? I would recommend
IKEv2
phase 1 SHA-256 - AES256 - DH14
phase 2 ESP - SHA-256 - AES256
My experience is that these settings work best on this router.
- Copy Link
- Report Inappropriate Content
@MR.S Thanks for the suggestion. I used those setting and have the same result.
Router 1: (Hardware Version 1.0 FW: 1.2.3 Build 20240822 Rel.52946)
Router 2: (Hardware Version 1.2 FW: 1.2.3 Build 20240822 Rel.52946)
Name: WI2FL (REMOTE_WI2FL on Router 2)
Status: Enable
Purpose: Site-to-Site VPN
VPN Type: Manual IPsec
Remote Gateway: xxx.xxx.xxx.xxx (Router 1 IP on Router 2)
Remote Subnet: 192.168.2.0/24 (192.168.0.0/24 on Router 2)WAN: 2.5G WAN1
Local Network Type: Network
Local Networks: All
Pre-shared Key: xxxxxxxxxxxxxxxxxxx
Phase-1 Settings
IKE Protocol Version: IKEv2
Proposal: SHA-256 - AES256 - DH14
Negotiation Mode: Responder Mode (Initiator Mode on Router 2 though I have tried swithcing these)
Local ID Type: IP Address
Remote ID Type: IP Adddress
SA Lifetime: 2880
DPD: Enable
DPD Interval: 10
Phase-2 Settings
Encapsulation Mod: Tunnel Mode
Proposal: ESP - SHA-256 - AES256
PFS: none
SA Lifetime: 28800
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
@MR.S et al
I reported a similar bug with ER707 v1.2.3 running IPSEC over L2TP to some ER605v1. Tunnels don't even come up anymore, but downgrading to 1.2.2 again fixes everything. These were client-server connections not site-site, but I don't think matters either. Zero changes to er605 endpoints.
Something is borked with IPSEC in the new 1.2.3 load is my educated guess.
- Copy Link
- Report Inappropriate Content
Hi @Bonfigleo
Thanks for posting in our business forum.
Since the dougmac has come to comment, we noticed his report which seems to be the first one. Based on the preliminary test we have done in the lab without touching his backup, we did not reproduce the issue.
Would love to learn more from your problem if it is possible.
We will require a backup of both sites if you can provide it.
Controller version if there is one as we need to import the backups.
A network diagram with IP specified.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 240
Replies: 11
Voters 0
No one has voted for it yet.