ER605 v2 2.3.0 Beta - IPsec VPN connection loses traffic for up to a couple of minutes at random
ER605 v2 2.3.0 Beta - IPsec VPN connection loses traffic for up to a couple of minutes at random
Im seeing a complete traffic drop on the IPsec site-to-site from my home (605 v2 2.3.0 april 28th beta) to my main site VPN router (ER7206v2 2.2.0 official) at random, for up to 2 minutes at a time
Neither site shows any logs relating to IPsec connection drops, DPD timeouts etc, the tunnel remains up
When the traffic loss occurs, it seems to effect all traffic - i not only cant communicate with the controller, but also a NAS, RDP, web interfaces of Raspberry PIs etc
This issue didnt seem to occur with the first 2.3.0 beta released on the forum, other sites with different routers, and dial-up client IPsec VPNs to the main site are also unaffected.
Its not my ISP connection at home, when the VPN traffic stops, i can use internet just fine.
Its not the WAN connection at the other end either, it happened to me while a colleague was on one of the dial-in VPNs to it and that remained fully functional, and that site isnt reporting any WAN issues in the logs or traffic graphs
I have deleted and recreated the VPN profile on the 605, no change to this behavior.
I dont have to do anything at all to restore traffic over the VPN, it just starts all by itself and resumes normal function
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
GRL wrote
Thanks Clive.
I have attempted sending it twice now. the file was too big for your mailserver and got bounced. Now sent as a google drive link. If you cant get it let me know and ill find another way
To clarify for you, the capture is the entire process - VPN working > not working > working over about 30 to 40 seconds. It was started only a few seconds before the VPN stopped passing traffic and stoped a few seconds after it started working again, with nothing extra either side.
I replied the email before I saw this.
Team reviewed the Wireshark but not quite useful to diagnose the reason.
Do you have a specific capture when you do a ping and it loses access?
Or try to access the remote NAS/Pi web page or ping them?
So this behavior can be reflected in the Wireshark?
Additionally, need the specific WAN capture after port mirroring.
So we need to know how IPsec interacts. It would be best for you to do this with port mirroring of the WAN and PC capture how the WAN works and interacts with the peer.
You can specify the WAN details in the email conversation we have. Do not post any public IP on the forum.
- Copy Link
- Report Inappropriate Content
Hi Clive
Il get the WAN mirror set up, and start a wan capture, might be a few days though, im going away for the weekend and dont have much time until tuesday
do you want the WAN capture from my site end, or the destination site end ? im guessing my end
- Copy Link
- Report Inappropriate Content
GRL wrote
Hi Clive
Il get the WAN mirror set up, and start a wan capture, might be a few days though, im going away for the weekend and dont have much time until tuesday
do you want the WAN capture from my site end, or the destination site end ? im guessing my end
The site where you run into issues.
- Copy Link
- Report Inappropriate Content
@Clive_A Hello, can you send me the new RC firmware that you mentioned in the ER605 firmware thread (ER605 v2.0 2.3.0 Build 20250428 Rel.18967)
Thank you.
- Copy Link
- Report Inappropriate Content
phongtom wrote
@Clive_A Hello, can you send me the new RC firmware that you mentioned in the ER605 firmware thread (ER605 v2.0 2.3.0 Build 20250428 Rel.18967)
Thank you.
I do not have it. If you are not pushed via controller by online firmware detection, you are not included in the RC test.
Besides, the controller does not allow you to download or extract it from the controller.
On the forum, the only firmware is the one I posted.
- Copy Link
- Report Inappropriate Content
Clive, an update on this from my end
I was starting to see issues with other sites VPNs as well, all remote sites are now on ER605 v2 running 2.3.0
Issues always resolved on all sites when i rebooted the ER7206 which is the responder to all the VPNs, its a v2 running 2.2.0 official, but the problems would gradually come back over a day or so and persist until another reboot of the 7206
I have moved all VPNs to now connect to main site ER8411 running 1.3.1 - I havent seen any further issues at all with connectivity dropping.
Since the ER7206 2.2.0 firmware is somewhat older in this batch than the others (it was the first, wasnt it?) im wondering if there is some bug in its IPsec functionality when ER605v2 with the considerably newer 2.3.0 are connecting to it. In my case - remote sites are always the initiator, 7206 was always the responder.
I am currently away from work and wont be able to set up any tests or further wiresharks to get any data on this for you for some time, perhaps you can test this locally
For my VPNs, i always use SHA2 - AES256 - DH14 and SHA2-AES256 for part 1 and 2 encryption settings, if that matters
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1006
Replies: 16
Voters 0
No one has voted for it yet.