DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

2955 Half Tunnel on renegotiation

  • markramsden
  • Topic Author
  • Offline
  • New Member
  • New Member
More
06 May 2011 16:19 #1 by markramsden
2955 Half Tunnel on renegotiation was created by markramsden
Hi,

I have a very strange issue. I am trying to build tunnels from watcguard equipment to a 2955 at my head office. The tunnels come up and work for a period but subsequently start failing. In most cases teh tunnels drop and restablish but sometimes we end up with "half tunnels" where teh tunnel doesn't drop but the remote LAN cannot get traffice to our lan *but* we can connect to boxes on te remote lan

Any one hve any ideas ?

Please Log in or Create an account to join the conversation.

More
06 May 2011 20:07 #2 by nobody
Replied by nobody on topic Re: 2955 Half Tunnel on renegotiation
Check the ipsec phase one and two renegotiation time. It should be the same value on both ends.

Regarding the problem, that a connection cannot be brought up properly after it fails:
There is a feature, which is called dead peer detection. This should take care of this. The draytek router supports this, but, I dont know, if this is enabled on the other side.
If the connection is nailed, then on the draytek side in the dial-out settings, check "always on" and set ping to the remote private address of the other side to on.
In the connection profile of the draytek, where you specify the dial in settings, set the timeout for the connection to 0.

Does that help ?

Please Log in or Create an account to join the conversation.

  • markramsden
  • Topic Author
  • Offline
  • New Member
  • New Member
More
07 May 2011 07:41 #3 by markramsden
Replied by markramsden on topic Re: 2955 Half Tunnel on renegotiation

nobody wrote: Check the ipsec phase one and two renegotiation time. It should be the same value on both ends.

Regarding the problem, that a connection cannot be brought up properly after it fails:
There is a feature, which is called dead peer detection. This should take care of this. The draytek router supports this, but, I dont know, if this is enabled on the other side.
If the connection is nailed, then on the draytek side in the dial-out settings, check "always on" and set ping to the remote private address of the other side to on.
In the connection profile of the draytek, where you specify the dial in settings, set the timeout for the connection to 0.

Does that help ?



The renegotiation times are the same both sides. Although the remote Watchguards also renegotiate on data count. Should I get the customer to disable this ?

The 2955 is acting as an answer only to the tunnels and I can't see where I can set a timeout to 0 in the dial in ? Do I just set Idle Timeout to 0

I did wonder if I'd be better off establishing the connection to teh remote Watchguards and nailing up the connection by pinging the remote router down the tunnel and getting the remote routers to never establish the tunnel

Please Log in or Create an account to join the conversation.

More
07 May 2011 09:16 #4 by nobody
Replied by nobody on topic Re: 2955 Half Tunnel on renegotiation
Yes I would disable the renegotiation based on data amount. AFAIK the draytek does not support this feature.

The idle timeout: yes, just set to 0

Please Log in or Create an account to join the conversation.

  • markramsden
  • Topic Author
  • Offline
  • New Member
  • New Member
More
07 May 2011 09:30 #5 by markramsden
Replied by markramsden on topic Re: 2955 Half Tunnel on renegotiation
Thanks for this. I'll give it a go ad see if it improves things

Please Log in or Create an account to join the conversation.