NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
PR60X Site to Site IPSEC Site to Site VPN frequently drops and will not restart automatically
I have two PR60X routers with an IPSEC Site to Site VPN set up. The WAN links are AT&T fiber. 2 Gig on one end and 500 Gig on the other. When the VPN is up, it works OK. Unfortunately it frequently drops and does not restart even though I believe I have it configures to restart. I use Insight to manage the network. I have tried using the "reconnect" icon that is visible when I hover over the VPN line, but never seem to work. Eventually i have found that I need to use Insight to disable the VPN, wait a few moments and then ReEnable it. Most time doing one end will bring it back up. Other times I need to do it on both ends.
Does anyone have suggestions?
I'm finally reporting back with my solution. It did take some time for the engineers to figure this one out.
I had two IPSec ports for Client to Site forwarded to my Synology NAS to do Client to Site VPN because there was not licensed needed for their VPN service. And that VPN did work as long as I was on the internal network, but it would never connect from the outside. Now I know that the Netgear PR60x firmware also needs these port for a reliable Site to Site VPN. Once I disabled those two port forwarding entries the Site to Site VPN was stable.
Then I still left with the need for a Client to Site VPN. the options for Client to Site VPN from Netgear at that time all needed a rather expensive, In My opinion, License.
Fortunately, shortly after we fixed the S2S VPN there was a firmware upgrade for the PR60x that included a VPN option from Wireguard, which is an open source no cost option.
Well the Wireguard solution was extreamly easy to setup and it is working very well for me. Thanks to the support tech for letting me know about it.
I am a happy network camper now.
9 Replies
Which firmware are your PR60X running? If it is not 2.4.x, please update to 2.4 firmware.
The 2.4 has IPsec DPD bug fix. In old firmware, if WAN port loses connection longer than DPD timeout, IPsec would stay disconnected even if DPD option is to restart.
If your routers are already running latest firmware, please open a help ticket with NETGEAR tech support, go to PR60X maintenance menu, enable SDM and let support agent know the SDM port number, engineering should be able to find out why IPsec tunnel stays broken.
My current firmware is 2.4.0.104
I will have to open a support ticket.
Thanks
Please also download logs from both sites, and provide it to support team so that we can analyze what was the cause of tunnel disconnection and why it stayed disconnected. Thanks!
On one site, there are port forwarding rules set for UDP port 4500 and 500, these ports are used by IPsec site to site VPN. Please remove or change these two port forwarding rules, thanks.
1. Use different ports if possible
2. Try to limit port forward source IP(to exclude site to site peer).
3. If you need to access a server from mobile devices through IPsec tunnel, you can also setup a client-to-site VPN to PR60X, and remove IPsec port forwarding to the server.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
