NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

BGy's avatar
BGy
Tutor
Nov 28, 2016

IPSec VPN Connection lost

My client is a Netgear Prosafe VPN Client Lite 6.4 (Windows 10 Prof x64) and I connect to a FVS336Gv3 firewall in the office.I can connect usually without any problem, I can open a Windows Remote Des...
Troubleshooting
BGy's avatar
BGy
Tutor
Dec 07, 2016

I found something something. In my prevoius comment the time of loosing connection was 10:05:00. And at the beginning of the log I found this:

 

 

20161207 09:13:06:804 Default (SA CTC-ctc-P2) is opening.
20161207 09:13:07:847 Default (SA CTC-P1) SEND phase 1 Main Mode  [SA] [VID] [VID] [VID] [VID] [VID]
20161207 09:13:07:964 Default (SA CTC-P1) RECV phase 1 Main Mode  [SA] [VID] [VID] [VID]
20161207 09:13:07:974 Default (SA CTC-P1) SEND phase 1 Main Mode  [KEY_EXCH] [NONCE] [NAT_D] [NAT_D]
20161207 09:13:08:201 Default (SA CTC-P1) RECV phase 1 Main Mode  [KEY_EXCH] [NONCE] [NAT_D] [NAT_D] [VID]
20161207 09:13:08:210 Default (SA CTC-P1) SEND phase 1 Main Mode  [HASH] [ID] [NOTIFY]
20161207 09:13:08:482 Default (SA CTC-P1) RECV phase 1 Main Mode  [HASH] [ID]
20161207 09:13:08:482 Default phase 1 done: initiator id local.com, responder id xxxxxxxxxxx.dnsalias.com
20161207 09:13:08:483 Default (SA CTC-P1) renewal in 3088 seconds (10:04:36)

 

 

"renewal in 3088 seconds (10:04:36)" The renewal time is the exact time of loosing connection. Something goes wrong about renewal...

 

Thanks,

Gyula

 

 

 

BGy's avatar
BGy
Tutor
Dec 07, 2016

And one more thing: I noticed that I have 3 active SA in firewall with 3 different IP addresses.The last one (ends with 105) is my current IP, the two line above it are my earlier ones. But the Tx amount are the same. The DPD shouldn't kill earlier ones?

 

firewall.jpg

 

Thanks,

Gyula

 

  • Dan_Z's avatar
    Dan_Z
    NETGEAR Expert
    Dec 08, 2016

    Hi Gyula,
    Thanks very much for your information!
    I reproduced this case. If vpn client close abnormally(for example,close tunnel without clicking close tunnel button),
    after reconnecting vpn ,will display tunnel connection is normal, but the traffic can't pass through.

    If that happens,you can use the following two ways to reconnect:
    (1)On VPN Client,use "close tunnel" button close the tunnel firstly,then reconnect the tunnel.
    (2)Go to device "VPN->Connection Status->IPSec VPN Connection Status",disconnect the tunnel firstly,then reconnect the tunnel.

     

    Thanks,

    Dan

  • BGy's avatar
    BGy
    Tutor
    Dec 13, 2016

    Hi Dan_Z,

     

    thank you very much for your answer. If I try to reconnect I can, but I no longer access remote LAN.

    As I see P2 renewals works without any problem (after every approx. 1000 seconds), but after the first P1 renewal (approx. 3400s) something goes wrong, after it client can't access remote LAN.

     

    To debug this I specified in VPN Client at "Traffic verfication after tunnel opened" an IP address.

     

    20161213 09:11:11:573 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010)
20161213 09:11:30:581 Default (SA CTC-P1) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20161213 09:11:30:620 Default (SA CTC-P1) RECV Informational  [HASH] [NOTIFY] type DPD_R_U_THERE_ACK
20161213 09:11:32:073 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010)
20161213 09:11:40:644 Default (SA CTC-P1) RECV Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20161213 09:11:40:645 Default (SA CTC-P1) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE_ACK
20161213 09:11:53:072 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010)
20161213 09:12:10:081 Default (SA CTC-P1) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20161213 09:12:10:121 Default (SA CTC-P1) RECV Informational  [HASH] [NOTIFY] type DPD_R_U_THERE_ACK
20161213 09:12:13:572 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010)
20161213 09:12:34:072 TIKEV1_OLDTGBIKE IKEv1 traffic: no response from 192.168.11.10 (error 11010)
20161213 09:12:40:074 Default (SA CTC-P1) SEND Informational  [HASH] [NOTIFY] type DPD_R_U_THERE
20161213 09:12:40:117 Default (SA CTC-P1) RECV Informational  [HASH] [NOTIFY] type DPD_R_U_THERE_ACK

    What can causes that DPD works but I can't access remote LAN?

     

    Thanks,

    Gyula

     

     

  • Dan_Z's avatar
    Dan_Z
    NETGEAR Expert
    Dec 14, 2016

    Hi Gyula,
    Did you tried delete the vpn policy,then recreate it on FVS336Gv3?
    If not,please do it,then check whether still have the same issue.

     

    Thanks

    Dan

  • BGy's avatar
    BGy
    Tutor
    Jan 02, 2017

    I tried it, unfortunately I still have the same issue.

     

    Thanks

    Gyula

     

     

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More