DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

L2L tunnels dropping after Dial-In router upgrades F/W

More
02 May 2021 18:34 #1 by ner0
L2L tunnels dropping after Dial-In router upgrades F/W was created by ner0
I have a Vigor2960 which is a VPN Dial-In and then I have some Vigor2925 at 3 remote sites doing the Dial-Out. After upgrading the V2960 from F/W 1.5.1.1 to a higher version (1.5.1.2 or 1.5.1.3) I start to get drops in all 3 VPN tunnels at somewhat "fixed" intervals, around every 6 hours. These VPNs are IPSec (IKEv2) L2L tunnels.

I went over this with Draytek Support after the release of F/W 1.5.1.2 , at the time they even requested remote access to both Dial-In and Dial-Out routers to assess the situation but didn't really solve anything and essentially justified that they're not getting similar complaints from other customers. My recourse was to downgrade back to F/W 1.5.1.1 and all started working perfectly fine without touching anything else.

Recently the 2960 got a new firmware upgrade (1.5.1.3) which prompted me to give it another go, but soon after I realized that the same damn issue started happening. Less than 24 hours later I already had 3 VPN drops on each one of the 3 tunnels, every drop happening every ~6 hours since the last reconnect, almost like clockwork. The tunnels were very stable before the upgrade, just for reference I didn't have a single drop in the last 30 days.

I have the suspicion that the issue might happen during IKEv2 rekeying, either phase1, phase2, or both. By default, all routers involved have the tunnels' IKEv2 key lifetime with 28800 seconds for phase1 and 3600 seconds for phase2. When I lowered the lifetime of the keys to 900 and 600 seconds, respectively, the drops became increasingly frequent - within 15 minutes, which is about 900 seconds.

Despite having played around with the IKEv2 key lifetime, I can't still escape the fact that whenever the rekeying happens is when the drops occur and I can't seem to understand why this would be the case, apparently neither does Draytek.

I have yet to revisit this issue in-depth, but I decided to try to reach out to the community in the hopes that this might ring a bell or something.

Below some excerpts from syslog of both routers:

CLIENT_2925 (Dial-out): https://pastebin.com/y54qNJsJ
SERVER_2960 (Dial-in): https://pastebin.com/phVArfvy

Please Log in or Create an account to join the conversation.