Home

Forums

Stories

Knowledge Base

Business Community > Gateways > IPsec VPN Failure After ER8411 Firmware Upgrade to 1.3.1

< Gateways

IPsec VPN Failure After ER8411 Firmware Upgrade to 1.3.1

jonmaxey

2025-06-03 16:54:45

Posts: 7

Helpful: 1

Solutions: 1

Stories: 0

Registered: 2024-03-06

IPsec VPN Failure After ER8411 Firmware Upgrade to 1.3.1

2025-06-03 16:54:45

Tags: #VPN #Firmware Update

Model: ER8411

Hardware Version: V1

Firmware Version: 1.3.1

Hello,

I manage a large Omada deployment across various networks. My primary network uses an ER8411 gateway, and several remote sites connect to it via IPsec VPN.

Yesterday, I upgraded the ER8411 to firmware version 1.3.1, and since then, the IPsec VPN connection to one of my remote sites — which uses an ER707-M2 v1.0 — has stopped working.

I've confirmed that the VPN settings on both ends remain unchanged from before the upgrade, and I’ve also tried creating a new VPN configuration and testing various setting combinations. Despite this, the VPN tunnel still fails to establish.

The following error appears in the event log on the ER8411:

WAN/LAN4: Phase 1 of IKE negotiation failed. (Peers=xxx.xxx.xxx.xxx<->xxx.xxx.xxx.xxx, Error=NO_PROPOSAL_CHOSEN[14])

On the ER707-M2, a similar error is logged:

2.5G WAN1: Phase 1 of IKE negotiation failed. (Peers=xxx.xxx.xxx.xxx<->xxx.xxx.xxx.xxx, Error=14)

(Note: IP addresses have been obfuscated for privacy.)

This issue only began after upgrading to firmware 1.3.1 on the ER8411. Is there anything else I can try or logs to look at to inform what might be happening? Could this be a regression or compatibility issue introduced in the latest firmware? If so, is it possible to downgrade the ER8411 to the previous firmware version?

Thanks!

11 Reply

GRL

LV4

2025-06-22 20:51:30 - last edited 2025-06-22 20:52:40

Posts: 727

Helpful: 292

Solutions: 83

Stories: 0

Registered: 2022-01-02

Re:IPsec VPN Failure After ER8411 Firmware Upgrade to 1.3.1

2025-06-22 20:51:30 - last edited 2025-06-22 20:52:40

I use only IPsec site-to-sites, all remotes are ER605 v2 running 2.3.0 to ER8411 1.3.2

SHA2 - 256 - DH14 / ESP - SHA2 - 256

ER8411 is always responder, remotes are always initiator

Havent seen any dropouts at all

HOWEVER

I was seeing weird dropouts when i had the responder set up on a 7206 v2 running 2.2.0 - VPNs would randomly go dead for seconds to minutes and in one case, 3 hours - all by themselves but always came back normally without me doing anything or wven noticing sometimes.

I havent tried SD-WAN because i find my current approach more flexible for my needs.

My gut feeling is something is flaky VPN wise on the current batch of firmwares, but that is just my opinion.

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x3, ES208G x1, EAP650 x6 Remote: ER7206 v2 x1, ER605 v2 x3, SG2008P x2, EAP650 x2, ES205G x1 Controller: OC300

#12

IPsec VPN Failure After ER8411 Firmware Upgrade to 1.3.1

IPsec VPN Failure After ER8411 Firmware Upgrade to 1.3.1

Information

Voters 0

Tags