We've replaced 2 x 3300's with 3910's at remote offices. All other office (6) have 3900's.

IPSEC VPNs between all offices are rock solid, apart from the 2 x 3910's. They are up for 1 min, 5 min, 10 min, 5 hours, but then drop and sometimes come back up. On the "Connection Management" page of the remote routers sometimes there are two connections from the same 3910 and until I drop one of the connections, no traffic will pass.

We're on 3.9.2.2 and have been given a beta firmware by support, but it's no good. We've checked and double checked VPN settings. Even the VPN between 2 x 3910's drops!

Support have asked us to syslog, fair enough, however we've installed the Draytek Syslog server but the 3910's (On in the same office, one on the other side of a VPN) will not log to it. The syslog server is setup correctly and isn't being blocked. I know this because I setup any of the 3900's (In remote sites) to log to it, and syslog messages are received fine.

Any tips to get syslog working (It shows up in syslog explorer web interface fine) and also any tips on VPNs? We're trying auto, or forcing it to specific settings (AES256/Sha1/G2 or G5) and the same lifetime settings but they're just not reliable. It's not an ISP issue as I can ping the external interface of the 3910 remotely and it's rock solid.

namdom wrote:
Any tips to get syslog working (It shows up in syslog explorer web interface fine)

I'm suspicious of a bug in the current version (4.5.8 ) of the Draytek Syslog Daemon - on occasion, I've been missing output that I know should be there. Sometimes rebooting the Draytek device clears it...sometimes killing and restarting SyslogRD fixes it. I can't reproduce it at will though

You could try an earlier version. V4.5.7 is here: http://www.draytek.com.tw/ftp/Utility/Syslog%20Tools/v4.5.7/

Or even a much simpler implementation (Netcat). Windows implementation here: https://eternallybored.org/misc/netcat/
Invoke with:

Code:

nc -l -p 514 -u

(It does produce something of a 'splurge' of output though!)

and also any tips on VPNs? We're trying auto, or forcing it to specific settings (AES256/Sha1/G2 or G5) and the same lifetime settings but they're just not reliable.

If you try 'specific settings', you have to find the lowest common denominator (key-sze and protocol wise) and set that at both ends. I wouldn't think incompatibilities would lead to disconnections though - more likely, just errors getting connecting in the first place.

Thanks for this. We did have the Kiwi Syslog running too and that captured the input of the 3900's but not any of the 3910's. So It's pretty sure a 3910 issue with the 3.9.2.2 and the beta firmware.

As for VPNs, the settings are identical on the two 3910's for the VPN between them, but I'm sitting here just watching it break between 1 min and 5 hours. So frustrating. If I could send them back and get 3900's I would, but sadly they're EOL.

I managed to get on syslog explorer of the 3910 when the VPN dropped to a 3900 (And the re-established as you can see near the top of the logs). Does any of this mean anything? (I removed the public IP of the remote router and it's hostname)

Argh, forum won't let me post the whole log as it's too large so I've removed a lot.

"2020-08-28 16:31:09", "Buffer Status: L-2048:1000(1000>>4=62), M-1024:0(4000>>6=62), S-128:10(20000>>7=156) --> delete garbage states."

"2020-08-28 16:31:05", "[L2L][UP][IPsec][@2:REMOTE3900ROUTER]"

"2020-08-28 16:31:05", "Delete exist flowstate of static route 0A000300/FFFFFF00 ..."

"2020-08-28 16:31:05", "IKE_RELEASE VPN : L2L Dial-in, Profile index = 2, Name = REMOTE3900ROUTER, ifno = 57"

"2020-08-28 16:31:05", "#130467 IPsec SA established with PublicIPADDRESSOF3900. In/Out Index: -2/-2"

"2020-08-28 16:31:05", "Buffer Status: L-2048:1000(1000>>4=62), M-1024:0(4000>>6=62), S-128:0(20000>>7=156) --> delete garbage states."

"2020-08-28 16:31:05", "IPsec SA #130467 will be replaced after 2998 seconds"

"2020-08-28 16:31:05", "Delete exist flowstate of VPN ifno: 57 ...."

"2020-08-28 16:31:05", "[L2L][DOWN][IPsec][@2:REMOTE3900ROUTER]"

"2020-08-28 16:31:05", "Buffer Status: L-2048:1000(1000>>4=62), M-1024:0(4000>>6=62), S-128:0(20000>>7=156) --> delete garbage states."

"2020-08-28 16:31:05", "No IKE buffer available: size:156, from:reply packet in comm_handle2"

"2020-08-28 16:31:05", "Buffer Status: L-2048:1000(1000>>4=62), M-1024:0(4000>>6=62), S-128:4(20000>>7=156) --> delete garbage states."

"2020-08-28 16:31:05", "Responding to Quick Mode from PublicIPADDRESSOF3900"

"2020-08-28 16:31:05", "Buffer Status: L-2048:1000(1000>>4=62), M-1024:0(4000>>6=62), S-128:5(20000>>7=156) --> delete garbage states."

"2020-08-28 16:31:05", "Accept ESP prorosal ENCR ESP_AES, HASH AUTH_ALGORITHM_HMAC_SHA1 "

"2020-08-28 16:31:05", "Receive client remote network setting is 10.0.2.0/24, match H2L profile[1171910336]"


"2020-08-28 16:31:05", "Buffer Status: L-2048:1000(1000>>4=62), M-1024:0(4000>>6=62), S-128:10(20000>>7=156) --> delete garbage states."

....lots of these "No IKE buffer available.... as seen below

2020-08-28 16:31:04", "No IKE buffer available: size:172, from:_mp_default_reallocate"

"2020-08-28 16:31:04", "No IKE buffer available: size:168, from:_mp_default_reallocate"

"2020-08-28 16:31:04", "No IKE buffer available: size:164, from:_mp_default_reallocate"

namdom wrote:
"2020-08-28 16:31:05", "IPsec SA #130467 will be replaced after 2998 seconds"

I just tried dropping my L2TP/IPsec VPN and letting it re-establish. My key lifetimes are set to 86400, but I got a message saying :-

Code:

IPsec SA #228 will be replaced after 71775 seconds

which is slightly odd. It always re-establishes itself though - and I'm guessing that shorter is more secure...

Do you have "Enable PING to keep IPsec tunnel alive" ticked in the "LAN to LAN" entry?

When the connection drops, what do you have to do to get it to connect again?

hornbyp wrote:

namdom wrote:
"2020-08-28 16:31:05", "IPsec SA #130467 will be replaced after 2998 seconds"

I just tried dropping my L2TP/IPsec VPN and letting it re-establish. My key lifetimes are set to 86400, but I got a message saying :-

Code:

IPsec SA #228 will be replaced after 71775 seconds

which is slightly odd. It always re-establishes itself though - and I'm guessing that shorter is more secure...

Do you have "Enable PING to keep IPsec tunnel alive" ticked in the "LAN to LAN" entry?

When the connection drops, what do you have to do to get it to connect again?

No I do NOT have rge "Enable Ping" option selected.

When it drops, it re-establishes itself, but then for about 30 seconds only and again and again. So if I have a ping going from one site to the other (Any way) I get pings for 1 min/2 min/5 min then about 5 drops, then again. Rinse and repeat.