Reply

VPN between 2 netgear routers keeps dropping

bzness
Aspirant

VPN between 2 netgear routers keeps dropping

I am trying to set up a stable VPN tunnel between an FVS318G on one site, and an SRX5308 at another site. Both are connected to Xfinity modems, and both have stable internet connections, the SRX has a fixed IP address, the FVS318G a dynamic address managed through no-ip. 

I can set up a tunnel and it is stable for something like 10 - 12 hours, then it crashes. I think it also crashes when I try to use an L2TP login I have set up for my iPhone (that tunnel stays open, the box-to-box channel crashes).

 

The weird thing is when the tunnel crashes, box boxes still report the tunnel as open, but I can't access resources across the tunnel. Here is the VPN log of the FVS318. I have replaced the external IP addresses with "** ext IP ...", and masked the internal addresses.

 

There is a bit of weird stuff going on at 11:42, but in the end the firewall reports that VPN tunnels have been established between the extrenal IP addresses of the two firewalls (as usual, read from bottom):

 

2017 Oct  7 12:42:49 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=170635942(0xa2bb2a6)_

2017 Oct  7 12:42:49 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=40115734(0x2641e16)_

2017 Oct  7 12:42:48 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=140963799(0x866efd7)_

2017 Oct  7 12:42:48 [FVS318g] [IKE] Initiating new phase 2 negotiation: ** ext IP FVS318 **[0]<=>** ext IP SRX **[0]_

2017 Oct  7 12:42:48 [FVS318g] [IKE] Configuration found for ** ext IP SRX **._

2017 Oct  7 12:42:48 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=46243066(0x2c19cfa)_

2017 Oct  7 11:54:47 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=46243066(0x2c19cfa)_

2017 Oct  7 11:54:47 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=140963799(0x866efd7)_

2017 Oct  7 11:54:47 [FVS318g] [IKE] Purged IPsec-SA with proto_id=ESP and spi=14134305(0xd7ac21)._

2017 Oct  7 11:54:47 [FVS318g] [IKE] Purged IPsec-SA with proto_id=ESP and spi=193914864(0xb8ee7f0)._

2017 Oct  7 11:54:47 [FVS318g] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._

2017 Oct  7 11:54:47 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=14134305(0xd7ac21)_

2017 Oct  7 11:54:45 [FVS318g] [IKE] Initiating new phase 2 negotiation: ** ext IP FVS318 **[0]<=>** ext IP SRX **[0]_

2017 Oct  7 11:54:44 [FVS318g] [IKE] Using IPsec SA configuration: xxx.xxx.0.0/24<->xxx.xxx.3.1/24_

2017 Oct  7 11:54:44 [FVS318g] [IKE] Responding to new phase 2 negotiation: ** ext IP FVS318 **[0]<=>** ext IP SRX **[0]_

2017 Oct  7 11:54:44 [FVS318g] [IKE] Sending Informational Exchange: notify payload[608]_

2017 Oct  7 11:54:44 [FVS318g] [IKE] ISAKMP-SA established for ** ext IP FVS318 **[500]-** ext IP SRX **[500] with spi:12b13c141c03bb78:e887aef8f5b12e24_

2017 Oct  7 11:54:43 [FVS318g] [IKE] NAT not detected _

2017 Oct  7 11:54:43 [FVS318g] [IKE] NAT-D payload matches for ** ext IP SRX **[500]_

2017 Oct  7 11:54:43 [FVS318g] [IKE] NAT-D payload matches for ** ext IP FVS318 **[500]_

2017 Oct  7 11:54:43 [FVS318g] [IKE] Received Vendor ID: KAME/racoon_

2017 Oct  7 11:54:43 [FVS318g] [IKE] Configuration found for ** ext IP SRX **._

2017 Oct  7 11:54:43 [FVS318g] [IKE] Using IPsec SA configuration: xxx.xxx.0.0/24<->xxx.xxx.3.1/24_

2017 Oct  7 11:54:43 [FVS318g] [IKE] Setting DPD Vendor ID_

2017 Oct  7 11:54:42 [FVS318g] [IKE] For ** ext IP SRX **[500], Selected NAT-T version: RFC XXXX_

2017 Oct  7 11:54:42 [FVS318g] [IKE] DPD is Enabled_

2017 Oct  7 11:54:42 [FVS318g] [IKE] Received Vendor ID: DPD_

2017 Oct  7 11:54:42 [FVS318g] [IKE] Received unknown Vendor ID_

2017 Oct  7 11:54:42 [FVS318g] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__

2017 Oct  7 11:54:42 [FVS318g] [IKE] Received Vendor ID: RFC XXXX_

2017 Oct  7 11:54:42 [FVS318g] [IKE] Beginning Identity Protection mode._

2017 Oct  7 11:54:42 [FVS318g] [IKE] Received request for new phase 1 negotiation: ** ext IP FVS318 **[500]<=>** ext IP SRX **[500]_

2017 Oct  7 11:54:42 [FVS318g] [IKE] Configuration found for ** ext IP SRX **[500]._

                - Last output repeated 9 times -

2017 Oct  7 11:42:41 [FVS318g] [IKE] Could not find configuration for ** ext IP SRX **[1]_

2017 Oct  7 11:42:31 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=181435667(0xad07d13)_

2017 Oct  7 11:42:31 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=258919417(0xf6ecbf9)_

2017 Oct  7 11:42:30 [FVS318g] [IKE] Could not find configuration for ** ext IP SRX **[1]_

2017 Oct  7 11:42:10 [FVS318g] [IKE] ISAKMP-SA deleted for ** ext IP FVS318 **[500]-** ext IP SRX **[500] with spi:265d9a2f627fe9a6:98040755a4dfcdf2_

2017 Oct  7 11:42:09 [FVS318g] [IKE] Sending Informational Exchange: delete payload[]_

2017 Oct  7 11:42:09 [FVS318g] [IKE] ISAKMP-SA expired ** ext IP FVS318 **[500]-** ext IP SRX **[500] spi:265d9a2f627fe9a6:98040755a4dfcdf2_

2017 Oct  7 11:01:54 [FVS318g] [IKE] ISAKMP-SA deleted for ** ext IP FVS318 **[4500]-** ext IP SRX **[4500] with spi:9b4321b0651585bd:b4fd24c96dadad11_

2017 Oct  7 11:01:53 [FVS318g] [IKE] Sending Informational Exchange: delete payload[]_

2017 Oct  7 11:01:53 [FVS318g] [IKE] ISAKMP-SA expired ** ext IP FVS318 **[4500]-** ext IP SRX **[4500] spi:9b4321b0651585bd:b4fd24c96dadad11_

2017 Oct  7 10:54:30 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=258919417(0xf6ecbf9)_

2017 Oct  7 10:54:30 [FVS318g] [IKE] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=181435667(0xad07d13)_

 

On the SRX side the whole story looks like this:

 

It reports (at 11:54) that a tunnel is established between the external IPs of the boxes. then the SA expires and after the renegotiation is done (12:42) The SRX again reports that a tunnel has been established, but this time between the WAN address of the FVS318 and the LAN address of the SRX:

 

Sat Oct 07 12:42:49 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel xxx.xxx.3.1->** ext IP FVS318 ** with spi=40115734(0x2641e16)

Sat Oct 07 12:42:49 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->xxx.xxx.3.1 with spi=170635942(0xa2bb2a6)

Sat Oct 07 12:42:48 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:42:48 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Responding to new phase 2 negotiation: xxx.xxx.3.1[0]<=>** ext IP FVS318 **[0]

Sat Oct 07 12:42:48 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Floating ports for NAT-T with peer ** ext IP FVS318 **[500]

Sat Oct 07 12:42:47 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX **with spi=46243066(0x2c19cfa)

Sat Oct 07 12:42:47 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 23.24.148.81->** ext IP FVS318 ** with spi=140963799(0x866efd7)

Sat Oct 07 12:42:46 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX **with spi=193914864(0xb8ee7f0)

Sat Oct 07 11:54:46 2017 (GMT -0600): [SRX5308] [IKE] INFO:  an undead schedule has been deleted: 'pk_recvupdate'.

Sat Oct 07 11:54:46 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Sending Informational Exchange: delete payload[]

Sat Oct 07 11:54:46 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 23.24.148.81->** ext IP FVS318 ** with spi=140963799(0x866efd7)

Sat Oct 07 11:54:46 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX **with spi=46243066(0x2c19cfa)

Sat Oct 07 11:54:45 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

 

At that point I  lost the ability to access resources across the tunnel. So, the tunnel is stable for 10-12 hours, then something happens that makes it impossible to transmit data. On both sstems the logs show that a tunnel is established, but on the srx the tunnel switches from between the WAN addresses of the boxes to between the WAN address of one and the LAN address of the other. I don't know if that is the problem, but it seems strange to me.

I set the tunnel up as described in a document from this site, using the VPN Wizards. The lifetimes are set to 3,600 and 28,800 (defaults).

 

I shuldmention that I have fighting this for days. At one time I updated the firmware on the srx and that broke everything. I could not establish even contact between the boxes. Reverting to the older firmware fixed that again. The FVS318 has the latest firmware installed.

 

I should also mention that i Have another post going with the same problem here, but after I got a response that in the end turned out not helping, it has been quiet, without any responses. 

 

 

Model: FVS318G|ProSafe Gigabit 8 Port VPN Firewall,SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 9
bzness
Aspirant

Re: VPN between 2 netgear routers keeps dropping

It gets weirder:

 

While I was writing the post above, the problem fixed itself !! I am posting below the log from the SRX. As you can see after a lengthy negotiation, the SRX ended up again with tunnels between the WAN addresses of the boxes, and lo and bhold, I can access data again. So, why would the SRX switch from the WAN address to the LAN address? I don't know too little about the intricacies of the VPN negotiations to follow the log from where it lost the WAN address to where it corrected itself, but someone must have seen this before. What is the problem here?

 

I have to split the log into 2 posts, as there is a limit on length.

 

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO:  an undead schedule has been deleted: 'pk_recvupdate'.

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Sending Informational Exchange: delete payload[]

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=4365434(0x429c7a)

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=131648604(0x7d8cc5c)

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:25:42 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Responding to new phase 2 negotiation: ** ext IP SRX **[0]<=>** ext IP FVS318 **[0]

Sat Oct 07 13:25:41 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP SRX **->** ext IP FVS318 ** with spi=153273464(0x922c478)

Sat Oct 07 13:25:41 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->** ext IP SRX ** with spi=116393517(0x6f0062d)

Sat Oct 07 13:25:40 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 2 negotiation: ** ext IP SRX **[0]<=>** ext IP FVS318 **[0]

Sat Oct 07 13:25:40 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Sending Informational Exchange: notify payload[INITIAL-CONTACT]

Sat Oct 07 13:25:40 2017 (GMT -0600): [SRX5308] [IKE] INFO:  ISAKMP-SA established for ** ext IP SRX **[500]-** ext IP FVS318 **[500] with spi:070ddfe8d3a00374:177ee617632b23e6

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  NAT not detected

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  NAT-D payload matches for ** ext IP FVS318 **[500]

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  NAT-D payload matches for ** ext IP SRX **[500]

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Received Vendor ID: KAME/racoon

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  For ** ext IP FVS318 **[500], Selected NAT-T version: RFC XXXX

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Received Vendor ID: KAME/racoon

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Received Vendor ID: DPD

Sat Oct 07 13:25:39 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Received Vendor ID: RFC XXXX

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:25:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:23:53 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 6445c7b073ed5d55:0000000000000000

Sat Oct 07 13:23:50 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:23:18 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:23:18 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:23:18 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:22:34 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:22:03 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:21:22 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. ae10131a098e29dd:0000000000000000

Sat Oct 07 13:21:16 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:20:45 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:20:45 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:20:45 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:20:05 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:19:32 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:18:52 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 12973c2b18d0bc41:0000000000000000

Sat Oct 07 13:18:48 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:18:17 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:18:17 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:18:17 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:17:33 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:17:02 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:16:46 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:16:21 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 6603935be3437384:0000000000000000

Sat Oct 07 13:16:14 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:16:14 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:16:14 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:16:09 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:15:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:15:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:15:38 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

 

 

Continued in next post. 

 

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 2 of 9
bzness
Aspirant

Re: VPN between 2 netgear routers keeps dropping

continuation of log:

 

Sat Oct 07 13:15:03 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:14:31 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:13:51 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 4180b9b0160ae252:0000000000000000

Sat Oct 07 13:13:47 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:13:16 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:13:16 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:13:16 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:12:32 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:12:01 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:11:05 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:10:44 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 1e5ebe9e6c54a358:0000000000000000

Sat Oct 07 13:10:34 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:10:34 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:10:34 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:09:25 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:08:54 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:06:00 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:05:59 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 2f6f06f556b4937f:0000000000000000

Sat Oct 07 13:05:29 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:05:29 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:05:29 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:04:40 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:04:09 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:02:15 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 55783624c7b12310:0000000000000000

Sat Oct 07 13:02:01 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:01:29 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:01:29 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:01:29 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 13:00:56 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 13:00:25 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:57:26 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 12:57:05 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for ** ext IP FVS318 **[500]. 1ebdde52616c0db7:0000000000000000

Sat Oct 07 12:56:55 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

 

Sat Oct 07 12:56:55 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 12:56:55 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:55:46 2017 (GMT -0600): [SRX5308] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP ** ext IP FVS318 **->** ext IP SRX **

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Initiating new phase 1 negotiation: ** ext IP SRX **[500]<=>** ext IP FVS318 **[500]

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:  remote configuration for identifier "** myDomainName **" found

Sat Oct 07 12:55:15 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:42:49 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel xxx.xxx.3.1->** ext IP FVS318 ** with spi=40115734(0x2641e16)

Sat Oct 07 12:42:49 2017 (GMT -0600): [SRX5308] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel ** ext IP FVS318 **->xxx.xxx.3.1 with spi=170635942(0xa2bb2a6)

Sat Oct 07 12:42:48 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Using IPsec SA configuration: xxx.xxx.3.0/24<->xxx.xxx.0.1/24

Sat Oct 07 12:42:48 2017 (GMT -0600): [SRX5308] [IKE] INFO:  Responding to new phase 2 negotiation: xxx.xxx.3.1[0]<=>** ext IP FVS318 **[0]

Message 3 of 9
DaneA
NETGEAR Moderator

Re: VPN between 2 netgear routers keeps dropping

Hi @bzness,

 

If ever you have not yet configured Keep-Alive and Dead Peer Detection on both SRX5308 and FVS318G, I suggest you to configure Keep-Alive and Dead Peer Detection then check if same problem will occur.  Read pages 265-268 of the SRX5308 Reference Manual here and pages 5-53 to 5-55 of the FVS318G Reference Manual here about  Keep-Alives and Dead Peer Detection.  

 

You mentioned that you upgraded the firmware of the SRX5308 to the latest version.  Did you perform a factory reset on it the reconfigure it from scratch after upgrading the firmware?  It is best to reset the firewall to factory defaults then reconfigure it from scratch in order to start clean using the latest firmware version.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 4 of 9
DaneA
NETGEAR Moderator

Re: VPN between 2 netgear routers keeps dropping

@bzness,

 

I just want to follow-up on this.  Were you able to perform my suggestions? 

 

 

Regards,


DaneA

NETGEAR Community Team

Message 5 of 9
bzness
Aspirant

Re: VPN between 2 netgear routers keeps dropping

Hi DaneA,

 

Yes, I tried a few, but in the end, I think I found a solution (keeping my fingers crossed) after hours of googleing on the web and following a number of dead ends. Even on this site, the information is contradictory. Some people say that you MUST use the VPN Wizard, others say that you can't because it creates a bad record that you cannot fix later. There is a lot of confusion about what FDQN means (why do you have to select "FDQN" and then enter an IP address?), etc., etc.,

 

So, what I think has stabilized the VPN in my case was to do the followng:

 

Delete the IKE and VPN policies on both ends.

Reboot both routers.

Set up new IKE policies (manually ) on both ands and do NOT use the default Encrytions (I dropped it to DES and MD5).

Reboot both routers.

Set up new VPN policies (manually) on both ends, again with DES and MD5. I also use FDQNs everywhere (overwriting the auto-filled IP addresses), and make sure that the LAN segments are different, and that the subnets are specified with x.x.x.0 (some people had suggested to use x.x.x.1), and use 86400 as SA uptime.

Reboot both routers.

Keep your fingers crossed.

So far it's been up for about 36 hours, and the VPN logs look pretty orderly with an occasional Error that seems to fix itself.

 

Again, keeping my fingers crossed and hope for the best.

Message 6 of 9
DaneA
NETGEAR Moderator

Re: VPN between 2 netgear routers keeps dropping

@bzness,

 

I just want to follow-up on this.  Is the VPN connection between the SRX5308 and FVS318G still up? 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 7 of 9
bzness
Aspirant

Re: VPN between 2 netgear routers keeps dropping

Yes, but I noticed that a couple of times someone with an unknown IP address tried to log in. The router blocked the entry, but that seemed to have created some problems and the router stopped logging and also stopped responding to my other router, which of course led to a breakdown. I updated the firmware to the last version (which gave me trouble last time I tried that, and this time it seems to have worked. I see one attempt to get into the system via VPN, and this time it did not break the VPPN channel. So, good for now, but still keeping fingers crossed.

Message 8 of 9
DaneA
NETGEAR Moderator

Re: VPN between 2 netgear routers keeps dropping

@bzness,

 

Thanks for the feedback.  I'm glad to know that the VPN connection is still up. Smiley Happy 

 

 

Cheers,

 

DaneA

NETGEAR Community Team

Message 9 of 9
Top Contributors
Discussion stats
  • 8 replies
  • 2181 views
  • 0 kudos
  • 2 in conversation
Announcements