NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
IPSec VPN Connection lost
My client is a Netgear Prosafe VPN Client Lite 6.4 (Windows 10 Prof x64) and I connect to a FVS336Gv3 firewall in the office.I can connect usually without any problem, I can open a Windows Remote Des...
Hi BGy,
I don't know your specific network environment, so can't give you the advice.
Here is some diagnostic tool on FVS336Gv3's page "Monitoring->Disagnostics",maybe can help you.
Thanks,
Dan
Hi Dan_Z,
please explain why your conclusion is a network problem. Just now I tested it again. I used a ping tool to check remote LAN accessibility. It shows that connection lost at 10:05:00:
[2016-12-7 10:05:26]Reply from 192.168.11.10: Request timed out. [2016-12-7 10:05:22]Reply from 192.168.11.10: Request timed out. [2016-12-7 10:05:18]Reply from 192.168.11.10: Request timed out. [2016-12-7 10:05:14]Reply from 192.168.11.10: Request timed out. [2016-12-7 10:05:10]Reply from 192.168.11.10: Request timed out. [2016-12-7 10:05:06]Reply from 192.168.11.10: Request timed out. [2016-12-7 10:05:00]Reply from 192.168.11.10: bytes = 64 time = 13ms TTL = 255 [2016-12-7 10:04:58]Reply from 192.168.11.10: bytes = 64 time = 12ms TTL = 255 [2016-12-7 10:04:56]Reply from 192.168.11.10: bytes = 64 time = 14ms TTL = 255 [2016-12-7 10:04:54]Reply from 192.168.11.10: bytes = 64 time = 14ms TTL = 255 [2016-12-7 10:04:52]Reply from 192.168.11.10: bytes = 64 time = 15ms TTL = 255 [2016-12-7 10:04:50]Reply from 192.168.11.10: bytes = 64 time = 12ms TTL = 255 [2016-12-7 10:04:48]Reply from 192.168.11.10: bytes = 64 time = 15ms TTL = 255
The appropriate part of VPN Client log:
20161207 10:03:39:175 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:03:39:222 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:04:09:326 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:04:09:370 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:04:36:498 Default (SA CTC-P1) SEND phase 1 Main Mode [SA] [VID] [VID] [VID] [VID] [VID] 20161207 10:04:36:608 Default (SA CTC-P1) RECV phase 1 Main Mode [SA] [VID] [VID] [VID] 20161207 10:04:36:611 Default (SA CTC-P1) SEND phase 1 Main Mode [KEY_EXCH] [NONCE] [NAT_D] [NAT_D] 20161207 10:04:36:837 Default (SA CTC-P1) RECV phase 1 Main Mode [KEY_EXCH] [NONCE] [NAT_D] [NAT_D] [VID] 20161207 10:04:36:839 Default (SA CTC-P1) SEND phase 1 Main Mode [HASH] [ID] 20161207 10:04:37:055 Default (SA CTC-P1) RECV phase 1 Main Mode [HASH] [ID] 20161207 10:04:37:056 Default phase 1 done: initiator id local.com, responder id xxxxxxxxxxxxxx.dnsalias.com 20161207 10:04:37:056 Default (SA CTC-P1) renewal in 3412 seconds (11:01:29) 20161207 10:04:37:074 Default (SA CTC-P1) RECV Transaction Mode [HASH] [ATTRIBUTE] 20161207 10:04:37:075 Default (SA CTC-P1) SEND Transaction Mode [HASH] [ATTRIBUTE] 20161207 10:05:02:185 Default (SA CTC-ctc-P2) SEND phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID] 20161207 10:05:02:398 Default (SA CTC-ctc-P2) RECV phase 2 Quick Mode [HASH] [SA] [NONCE] [ID] [ID] 20161207 10:05:02:398 Default (SA CTC-ctc-P2) SEND phase 2 Quick Mode [HASH] 20161207 10:05:02:399 Default (SA CTC-ctc-P2) renewal in 1092 seconds (10:23:14) 20161207 10:05:02:399 Default [VirtualItf] ConfigureVirtualItf: Physical IP Address specified in configuration for CTC-P1. 20161207 10:05:03:459 Default (SA CTC-ctc-P2) [VirtualItf] Virtual Interface properly configured for instance 2 and ItfIndex 8. 20161207 10:05:06:461 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:05:06:500 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:05:13:694 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010) 20161207 10:05:22:628 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:05:22:628 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:05:24:194 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010) 20161207 10:05:27:677 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:05:27:678 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:05:32:736 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:05:32:736 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:05:34:694 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010) 20161207 10:05:37:786 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:05:37:787 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:05:42:839 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:05:42:840 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:05:45:194 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010) 20161207 10:05:47:890 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE 20161207 10:05:47:890 Default (SA CTC-P1) SEND Informational [HASH] [NOTIFY] type DPD_R_U_THERE_ACK 20161207 10:05:52:946 Default (SA CTC-P1) RECV Informational [HASH] [NOTIFY] type DPD_R_U_THERE
As I see after 10:05:00 there are successful DPDs.
But after 10:05:00 I'm still able to connect using L2TP without problem! If it's a network problem why can I connect L2TP, why only IPsec fails? If connection fails why VPN client can't reconnect? If it's a network problem then shouldn't I experience this problem in random intervals? Now it's happens about after an hour (50..70min), never outside of this time frame.
Thanks,
Gyula
I found something something. In my prevoius comment the time of loosing connection was 10:05:00. And at the beginning of the log I found this:
20161207 09:13:06:804 Default (SA CTC-ctc-P2) is opening. 20161207 09:13:07:847 Default (SA CTC-P1) SEND phase 1 Main Mode [SA] [VID] [VID] [VID] [VID] [VID] 20161207 09:13:07:964 Default (SA CTC-P1) RECV phase 1 Main Mode [SA] [VID] [VID] [VID] 20161207 09:13:07:974 Default (SA CTC-P1) SEND phase 1 Main Mode [KEY_EXCH] [NONCE] [NAT_D] [NAT_D] 20161207 09:13:08:201 Default (SA CTC-P1) RECV phase 1 Main Mode [KEY_EXCH] [NONCE] [NAT_D] [NAT_D] [VID] 20161207 09:13:08:210 Default (SA CTC-P1) SEND phase 1 Main Mode [HASH] [ID] [NOTIFY] 20161207 09:13:08:482 Default (SA CTC-P1) RECV phase 1 Main Mode [HASH] [ID] 20161207 09:13:08:482 Default phase 1 done: initiator id local.com, responder id xxxxxxxxxxx.dnsalias.com 20161207 09:13:08:483 Default (SA CTC-P1) renewal in 3088 seconds (10:04:36)
"renewal in 3088 seconds (10:04:36)" The renewal time is the exact time of loosing connection. Something goes wrong about renewal...
Thanks,
Gyula
And one more thing: I noticed that I have 3 active SA in firewall with 3 different IP addresses.The last one (ends with 105) is my current IP, the two line above it are my earlier ones. But the Tx amount are the same. The DPD shouldn't kill earlier ones?
Thanks,
Gyula
Hi Gyula,
Thanks very much for your information!
I reproduced this case. If vpn client close abnormally(for example,close tunnel without clicking close tunnel button),
after reconnecting vpn ,will display tunnel connection is normal, but the traffic can't pass through.
If that happens,you can use the following two ways to reconnect:
(1)On VPN Client,use "close tunnel" button close the tunnel firstly,then reconnect the tunnel.
(2)Go to device "VPN->Connection Status->IPSec VPN Connection Status",disconnect the tunnel firstly,then reconnect the tunnel.Thanks,
Dan
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
