NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Retired_Member's avatar
Retired_Member
Aug 24, 2016
Solved

Ipsec vpn between srxn3205 doesn't connect.

Hello,

 

I'he a problem, our company has three sites connected by ipsec vpn. We are using a fvs318n and two srxn3205.

Suddenly, after many months of use, the ipsec vpn doesn't connect between the two srxn3205.

I would ask your support to solve this problem.

 

This is a vpn log for one of the srxn3205, I replaced firewalls ip address with ipA and ipB.

 

2016 Aug 23 12:21:15 [SRXN3205] [IKE] Configuration found for ipB._
2016 Aug 23 12:21:15 [SRXN3205] [IKE] accept a request to establish IKE-SA: ipB _
2016 Aug 23 12:21:05 [SRXN3205] [IKE] Setting DPD Vendor ID_
2016 Aug 23 12:21:05 [SRXN3205] [IKE] Beginning Identity Protection mode._
2016 Aug 23 12:21:05 [SRXN3205] [IKE] Initiating new phase 1 negotiation: ipA [500]<=>ipB [500]_
2016 Aug 23 12:21:05 [SRXN3205] [IKE] Configuration found for ipB ._
2016 Aug 23 12:21:05 [SRXN3205] [IKE] accept a request to establish IKE-SA: ipB _
2016 Aug 23 12:21:01 [SRXN3205] [IKE] Phase 1 negotiation failed due to time up for ipB [500]. 1fd466d1ef7c98d3:0000000000000000_
2016 Aug 23 12:20:57 [SRXN3205] [IKE] Phase 2 negotiation failed due to time up waiting for phase1. _
2016 Aug 23 12:20:57 [SRXN3205] [IKE] Invalid SA protocol type: 0_

 

Already done:

- firewall restarted, one at a time and simultaneously;

- ipsec vpn configurazione deleted and reconfigured on both;

- pre-shared key changed;

- netbios flag checked and unchecked.

 

Thanks in advance to all and kind regards.

 

Roberto

 

 

 

 

  • DaneA's avatar
    DaneA
    Aug 25, 2016

    Hi netutente,

     

    I'm glad to know that all of the VPN tunnels are now established between the FVS318N and the 2 SRXN3205.  Its possible that the port you have configured on the firewall rules for the surveillance system have triggered the problem.  It would be best that you state what happened to the surveillance system engineers and seek their advise as well. 

     

    I've noticed that the current firmware versions on both SRXN3205 and FVS318N are old already.  I suggest you to upgrade the firmware of both SRXN3205 and FVS318N in a ladderized manner.  For example, you will upgrade the firmware of the FVS318N from v4.2.1-2 to 4.3.0-19 then from v4.3.0-19 to v4.3.1-22 and so on until you reach the latest firmware v4.3.4-1.  You may download the firmware versions for the FVS318N on this link.  For the SRXN3205 firmware versions, click on this link

     

    Be reminded that it is recommended to perform a factory reset after doing a firmware upgrade then reconfigure it from scratch.  You may want to get a screenshot of all the settings configured on the VPN firewalls as reference before you proceed with the firmware upgrade.

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

8 Replies

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired

    Hi netutente,

     

    Welcome to the community! :) 

     

    Kindly answer the questions below:

     

    a. Are there any changes made within the configuration of the 2 SRXN3205 that might triggered the problem?

    b. Is the ISP or Internet Service Provider the same on the sites where the 2 SRXN3205 are deployed?

    c. What is the current firmware version of the 2 SRXN3205?

     

    I look forward to your response.

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

    • Retired_Member's avatar
      Retired_Member

      Hi DaneA,

       

      thank you very much! :smileyhappy:

       

      a. We added ad ip address under Security, Firewall, Lan Wan Rules to enable remote access for the surveillance system; this task hab been done on both firewalls.

      b. No, the ISP are different. I can ping firewall wan address from one to other and vice versa;

      b. Firmware version 3.0.7_24 on both.

       

      Thanks again for your support.

       

      netutente

       

       

       

       

       

      • DaneA's avatar
        DaneA
        NETGEAR Employee Retired

        Hi netutente,

         

        Let us isolate the problem.  Have you tried to disable the firewall rule you have newly created on both SRXN3205 then check if the VPN tunnel will establish between the 2 SRXN3205?  I ask this because this is the only change you've made before the problem occurred.  

         

         

        Regards,

         

        DaneA
        NETGEAR Community Team

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More