PDA

View Full Version : site 2 site loses connectivity to vigor



robert58
2009-09-29, 14:56
Hallo, Im newbie to this new group and need some good old experienced advice.
Anyway, i have a problem with a site to site VPN between a CP NGXR65 HFA30 HF630 and a Draytek Vigor 2910. And I have read the related posts concerning the vigor FW's and they have helped me heaps to set this VPN up. Well, the strange thing that i have is that the VPN is up and running, working from both sides but then all a sudden interuptions between the two sites appear, i have added a smoke ping monitoring just to keep an eye on the connectivity.
VPN works fine then my firewall sends a IKE main Mode completion, its receives a Informational Exchange Received Delete IKE-SA from peer, then the FW daemon gets an encryption failute, no respose from peer this goes on for a while then it works again from both sides.....

The firewall is Traditional Mode, Interoperable Device with manually defined topology. VPN Traditional with 3DES, SHA1 Pre-Shared Secret. VPN adv, Community Strings
Link Seclection Main Address ( in my gate way properties I have calculate IP based on network topology, NOT the always use this IP address ) this confuses me even though the VPN works sometimes!

Well, as you can see im a bit confused, if anyone can help it would be much apreicaited.

rubber_chicken
2009-09-29, 15:11
Hi,

I don't have a fix for you (other than going over all the settings - thinking rekey times here - with a fine tool comb) rather a similar story from years ago.

I've encountered this (albeit about 5 years ago with a much older version of CP) I was talking to an external client who were using a Cisco PIX. The VPN would establish nicely and would fall over from time to time as you describe. We spent a very long time going over all the settings and rekey times and doing debugs and so on and in the end we gave up and bought a PIX ourselves.

Migrated the VPN over (same settings of course) and voila! 100% uptime.

The lesson we took from this was to try and keep the VPN's within a vendor. We matched what the client was using and we had rock solid stability. (We were a service/support company so had loads of VPN's to clients)

Obviously time has moved on, and the technology is much more interoperable now, but I share this in case it helps.

Cheers

lammbo
2009-09-29, 15:18
Sounds like you've already read most of my Draytek posts and are on the right track. The only advice I can give you is to check the advanced settings and make sure ther is no re-key on the number of bytes passed. That one will bite you in the rear if one side is set to re-key and the other isn't.

I no longer have access to any Draytek boxes so I can't help more than this.

robert58
2009-09-29, 15:22
Hi,

I don't have a fix for you (other than going over all the settings - thinking rekey times here - with a fine tool comb) rather a similar story from years ago.

I've encountered this (albeit about 5 years ago with a much older version of CP) I was talking to an external client who were using a Cisco PIX. The VPN would establish nicely and would fall over from time to time as you describe. We spent a very long time going over all the settings and rekey times and doing debugs and so on and in the end we gave up and bought a PIX ourselves.

Migrated the VPN over (same settings of course) and voila! 100% uptime.

The lesson we took from this was to try and keep the VPN's within a vendor. We matched what the client was using and we had rock solid stability. (We were a service/support company so had loads of VPN's to clients)

Obviously time has moved on, and the technology is much more interoperable now, but I share this in case it helps.

Cheers

hi,
thanks for the info, iv checked all the setting ike phase 1 and 2, both sides, and even gone through the ike.elg log with the viewer, as far as i can see it all looks OK. Iv even been thinking about changing to simplified mode, do you think this would help?

cheers

robert58
2009-09-29, 15:25
Hi,

I don't have a fix for you (other than going over all the settings - thinking rekey times here - with a fine tool comb) rather a similar story from years ago.

I've encountered this (albeit about 5 years ago with a much older version of CP) I was talking to an external client who were using a Cisco PIX. The VPN would establish nicely and would fall over from time to time as you describe. We spent a very long time going over all the settings and rekey times and doing debugs and so on and in the end we gave up and bought a PIX ourselves.

Migrated the VPN over (same settings of course) and voila! 100% uptime.

The lesson we took from this was to try and keep the VPN's within a vendor. We matched what the client was using and we had rock solid stability. (We were a service/support company so had loads of VPN's to clients)

Obviously time has moved on, and the technology is much more interoperable now, but I share this in case it helps.

Cheers


Sounds like you've already read most of my Draytek posts and are on the right track. The only advice I can give you is to check the advanced settings and make sure ther is no re-key on the number of bytes passed. That one will bite you in the rear if one side is set to re-key and the other isn't.

I no longer have access to any Draytek boxes so I can't help more than this.

hi
yes, thanks read all your posts and they helped me heaps. and im going to check the rekey again.
cheers

desperado618
2009-09-30, 13:55
Consider a VPN debug

vpn debug on
vpn debug ikeon

wait for the error to resurface.
Open the $FWDIR/logs/ike.elg file in ikeview (download from Checkpoints site or google).

It will tell you exactly why the failure occurred.

robert58
2009-10-19, 09:59
Hallo,
A quick summary.
Got the vigor working, stability from the VPN was influenced from the normal pass through traffic from the vigor, still dont know why!
Anyway, took the advice from rubber_chicken, got a check point UTM edge device, took 3 hours to configure and test, sent it up and every one was happy.

Thank you all for the support and ideas
r

rubber_chicken
2009-10-19, 15:24
Hi,

Glad my old story helped. It is frustrating from a techie point of view that the solution is a bit of a cop out, but I guess the end users don't really care, they just want a stable system and they want it NOW :-)

In my case a few years ago, I got sick of getting woken up at stupid o'clock in the morning because the VPN had fallen over and I got called out.

Glad you've got a solution working.

Rubber