DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
2955 Half Tunnel on renegotiation
- markramsden
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
06 May 2011 16:19 #67621
by markramsden
2955 Half Tunnel on renegotiation was created by markramsden
Hi,
I have a very strange issue. I am trying to build tunnels from watcguard equipment to a 2955 at my head office. The tunnels come up and work for a period but subsequently start failing. In most cases teh tunnels drop and restablish but sometimes we end up with "half tunnels" where teh tunnel doesn't drop but the remote LAN cannot get traffice to our lan *but* we can connect to boxes on te remote lan
Any one hve any ideas ?
I have a very strange issue. I am trying to build tunnels from watcguard equipment to a 2955 at my head office. The tunnels come up and work for a period but subsequently start failing. In most cases teh tunnels drop and restablish but sometimes we end up with "half tunnels" where teh tunnel doesn't drop but the remote LAN cannot get traffice to our lan *but* we can connect to boxes on te remote lan
Any one hve any ideas ?
Please Log in or Create an account to join the conversation.
- nobody
- Offline
- Member
Less
More
- Posts: 115
- Thank you received: 0
06 May 2011 20:07 #67623
by nobody
Replied by nobody on topic Re: 2955 Half Tunnel on renegotiation
Check the ipsec phase one and two renegotiation time. It should be the same value on both ends.
Regarding the problem, that a connection cannot be brought up properly after it fails:
There is a feature, which is called dead peer detection. This should take care of this. The draytek router supports this, but, I dont know, if this is enabled on the other side.
If the connection is nailed, then on the draytek side in the dial-out settings, check "always on" and set ping to the remote private address of the other side to on.
In the connection profile of the draytek, where you specify the dial in settings, set the timeout for the connection to 0.
Does that help ?
Regarding the problem, that a connection cannot be brought up properly after it fails:
There is a feature, which is called dead peer detection. This should take care of this. The draytek router supports this, but, I dont know, if this is enabled on the other side.
If the connection is nailed, then on the draytek side in the dial-out settings, check "always on" and set ping to the remote private address of the other side to on.
In the connection profile of the draytek, where you specify the dial in settings, set the timeout for the connection to 0.
Does that help ?
Please Log in or Create an account to join the conversation.
- markramsden
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
07 May 2011 07:41 #67626
by markramsden
The renegotiation times are the same both sides. Although the remote Watchguards also renegotiate on data count. Should I get the customer to disable this ?
The 2955 is acting as an answer only to the tunnels and I can't see where I can set a timeout to 0 in the dial in ? Do I just set Idle Timeout to 0
I did wonder if I'd be better off establishing the connection to teh remote Watchguards and nailing up the connection by pinging the remote router down the tunnel and getting the remote routers to never establish the tunnel
Replied by markramsden on topic Re: 2955 Half Tunnel on renegotiation
Check the ipsec phase one and two renegotiation time. It should be the same value on both ends.nobody wrote:
Regarding the problem, that a connection cannot be brought up properly after it fails:
There is a feature, which is called dead peer detection. This should take care of this. The draytek router supports this, but, I dont know, if this is enabled on the other side.
If the connection is nailed, then on the draytek side in the dial-out settings, check "always on" and set ping to the remote private address of the other side to on.
In the connection profile of the draytek, where you specify the dial in settings, set the timeout for the connection to 0.
Does that help ?
The renegotiation times are the same both sides. Although the remote Watchguards also renegotiate on data count. Should I get the customer to disable this ?
The 2955 is acting as an answer only to the tunnels and I can't see where I can set a timeout to 0 in the dial in ? Do I just set Idle Timeout to 0
I did wonder if I'd be better off establishing the connection to teh remote Watchguards and nailing up the connection by pinging the remote router down the tunnel and getting the remote routers to never establish the tunnel
Please Log in or Create an account to join the conversation.
- nobody
- Offline
- Member
Less
More
- Posts: 115
- Thank you received: 0
07 May 2011 09:16 #67627
by nobody
Replied by nobody on topic Re: 2955 Half Tunnel on renegotiation
Yes I would disable the renegotiation based on data amount. AFAIK the draytek does not support this feature.
The idle timeout: yes, just set to 0
The idle timeout: yes, just set to 0
Please Log in or Create an account to join the conversation.
- markramsden
- Topic Author
- Offline
- New Member
Less
More
- Posts: 3
- Thank you received: 0
07 May 2011 09:30 #67628
by markramsden
Replied by markramsden on topic Re: 2955 Half Tunnel on renegotiation
Thanks for this. I'll give it a go ad see if it improves things
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek