NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Netgear FVS318G Site to Site VPN tunnel
This tunnel has been working correctly and was reconfigured after the ISP at both sites was switched to another provider.
About a month later staff member noticed corruption in files copied over the VPN.
Looking at the VPN logs it seems the IP-sec keeps dropping and reconnecting every 15 minutes.
Any ideas?
Thanks,
Joe
6 Replies
Here is sample of VPN logs. WAN IP's replaced with Site1 / Site2 names.
2015 Nov 12 00:52:52 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site1->Site2 with spi=123970818(0x763a502)_
2015 Nov 12 00:52:52 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site2->Site1 with spi=261599364(0xf97b084)_
2015 Nov 12 00:52:51 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site2->Site1 with spi=95241123(0x5ad43a3)_
2015 Nov 12 00:52:51 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site1->Site2 with spi=71402831(0x441854f)_
2015 Nov 12 00:52:51 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.0.0/24<->192.168.1.0/24_
2015 Nov 12 00:52:51 [FVS318g] [IKE] Responding to new phase 2 negotiation: Site1[0]<=>Site2[0]_
2015 Nov 12 00:04:50 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site1->Site2 with spi=71402831(0x441854f)_
2015 Nov 12 00:04:50 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site2->Site1 with spi=95241123(0x5ad43a3)_
2015 Nov 12 00:04:50 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.0.0/24<->192.168.1.0/24_
2015 Nov 12 00:04:49 [FVS318g] [IKE] Responding to new phase 2 negotiation: Site1[0]<=>Site2[0]_
2015 Nov 12 00:04:49 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site2->Site1 with spi=152647891(0x91938d3)_
2015 Nov 12 00:04:49 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site1->Site2 with spi=133067226(0x7ee71da)_
2015 Nov 11 23:16:48 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site1->Site2 with spi=133067226(0x7ee71da)_
2015 Nov 11 23:16:48 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site2->Site1 with spi=152647891(0x91938d3)_
2015 Nov 11 23:16:48 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.0.0/24<->192.168.1.0/24_
2015 Nov 11 23:16:47 [FVS318g] [IKE] Responding to new phase 2 negotiation: Site1[0]<=>Site2[0]_
2015 Nov 11 23:16:47 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site2->Site1 with spi=103178078(0x6265f5e)_
2015 Nov 11 23:16:47 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site1->Site2 with spi=231509542(0xdcc8e26)_
2015 Nov 11 22:28:46 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site1->Site2 with spi=231509542(0xdcc8e26)_
2015 Nov 11 22:28:46 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel Site2->Site1 with spi=103178078(0x6265f5e)_
2015 Nov 11 22:28:46 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.0.0/24<->192.168.1.0/24_
2015 Nov 11 22:28:45 [FVS318g] [IKE] Responding to new phase 2 negotiation: Site1[0]<=>Site2[0]_
2015 Nov 11 22:28:45 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site2->Site1 with spi=155868931(0x94a5f03)_
2015 Nov 11 22:28:45 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel Site1->Site2 with spi=219767050(0xd19610a)_
Do you have static IP's or DHCP WAN IP's?
Public IP's on the 318 WAN's?
What are the SA Lifetimes in all 4 places?
Are both 318's?
Which firmware on each?
Both using DHCP as the static IP's assigned are in wrong subnet and I am trying to get COX to remedy this issue.
Got both upgraded to newest firmware.
Maxed out the SA lifetime to 24 hours.
Identical FVS318G's purchased at same time
Always list the specific firmware. The "latest" means nothing if a new firmware gets release the next day.
How often are your public IP's changing?
I've seen ISP's (VZ DSL) change IP's via DHCP as often as once a minute. Everytime that IP changes the tunnel will drop.
Having DHCP on the WAN you should lower the SA Lifetimes. I use 3600 at most on dynamic WAN's, less if ISP DHCP expiration is set shorter than an hour (match the expiration time).
Static IP's I use 86400.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
