This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I have two FVS318Gv2 at two offices with a VPN tunnel between them that have worked fine until yesterday when the Internet provider was changed at one location. Broadband ISP settings were changed and, under VPN settings, the new WAN IP for location that changed were also changed. Everything works fine (Internet service, port forwarding) except the VPN.
Under, VPN / Connection Status, both sides show that "IPsec SA Established" but no traffic flows over this link now; even a ping from "Monitoring / Diagnostic" (via "Ping through VPN tunnel" to LAN IP of other device) does not work.
Here is the the VPN log from one of the devices:
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=48796823(0x2e89497) Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=13496147(0xcdef53) Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16 Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 166.102.171.xxx0]<=>107.221.112.xxx0] Wed Oct 19 14:58:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=10825899(0xa530ab) Wed Oct 19 14:58:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=95706496(0x5b45d80) Wed Oct 19 14:58:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=235429450(0xe085e4a) Wed Oct 19 14:44:23 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=96003188(0x5b8e474) Wed Oct 19 14:44:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=54349087(0x33d4d1f) Wed Oct 19 14:39:46 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=264155747(0xfbeb263) Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'. Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: delete payload[] Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=95706496(0x5b45d80) Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=10825899(0xa530ab) Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16 Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 166.102.171.xxx[0]<=>107.221.112.xxx[0] Wed Oct 19 14:10:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'. Wed Oct 19 14:10:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: delete payload[] Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=105406563(0x6486063) Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=235429450(0xe085e4a) Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16 Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 166.102.171.xxx[0]<=>107.221.112.xxx[0] Wed Oct 19 14:10:16 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=102875942(0x621c326) Wed Oct 19 14:10:16 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=17450749(0x10a46fd) Wed Oct 19 14:10:15 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Initiating new phase 2 negotiation: 166.102.171.xxx[500]<=>107.221.112.xxx[0] Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: notify payload[608] Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: ISAKMP-SA established for 166.102.171.xxx[500]-107.221.112.xxx[500] with spi:a85a6f598f0b9e1d:3d21e27b77064209 Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: NAT not detected Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: NAT-D payload matches for 107.221.112.xxx[500] Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: NAT-D payload matches for 166.102.171.xxx[500] Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: KAME/racoon Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: For 107.221.112.xxx[500], Selected NAT-T version: RFC 3947 Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: KAME/racoon Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: DPD Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: RFC 3947 Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Deleting PH1, Disable the sacreate lock Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: ISAKMP-SA deleted for 166.102.171.xxx[500]-107.221.112.xxx[500] with spi:1d6fcad31f1aee28:4e88030e7378cbf3 Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9 Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8 Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4 Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3 Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Beginning Identity Protection mode.
I finally had AT&T tech come out and replace the Pace 5268AC with a Motorola NVG589. Set it up as "pass-through" and now everything works fine. The tech said that his was a common problem for business customers using the Pace 5268. Apparently it just can't be made to pass VPN traffic.
Thanks. I've of course rebooted both ends numerous times.
Inbound, I've only got two services: TCP ports 5900-5901 and 10999-11102 on for any IP, all day.
I have no Static Routes on either end.
As for the ISP, yes this might be the issue; we changed from Earthlink Busienss to AT&T U-verse yesterday.
Again, everything else is working, even the tunnel comes up, but traffic won't pass through it. It sounds like a routing issue, but even if I try to ping LAN IP of other device using Diagnosics, Ping, "Ping through VPN tunnel" checked and correct VPN Policy selected, it comes up "Ping Failed."
Because the broadband ISP settings were changed on your devices,So suggest to delete all VPN configuration and recreate it.
Below is the config steps for your reference: 1. Topology:FVS318Gv2-01[WAN]----[WAN]FVS318Gv2-02 2. Go to Security->Firewall->Attack Checks,enable Respond to Ping on Internet Ports on 2 FVS318Gv2 3. Make sure FVS318Gv2-01'WAN can ping FVS318Gv2-02'WAN,can do it on "Monitoring->Diagnostics" page 4. Delete the VPN policies and IKE policies on 2 FVS318Gv2 5. Use VPN Wizard recreate VPN policy
Thank you, but I have already delete and re-created VPN setting on both sides.
The issue seems to be with the AT&T supplied Pace 5268AC RG. Even though I've put the FVS318Gv2 in the RG's "DMZ+" and disabled everthing else that I could find, it still seems to be blocking GRE packets (although tunnel is set up.)
Now I am experiencing other problems: long load times for certain website (sometimes they even time out, but work when re-tried.) Not sure if it's a DNS thing or related to this...which I am begininng to suspect now: something timeing out and resetablishing every couple of seconds (and it seems to affect all Internet traffic).
Our WAN IP from AT&T is not static, but it has not changed since installation nearly 2 weeks ago, and I've read that other U-verse subscribers have reported that their IP didn't change for years, so I don't see why this would be necessay.
Hi Froese, You can try the following ways: 1.The mode of the dial-up device change to passthrough mode 2.Then,FVS318Gv2 use PPPOE connect to internet 3.Establish IPSec VPN between 2 FVS318Gv2
Yes, that is what I'd love to do, but it appears that the Pace 5268AC residential gateway (modem) that AT&T supplied can't be placed in bridging mode, so I've put the FVS318Gv2 in its "DMZ+" zone. Both devices have the same WAN IP, and two devices that have port forwarding on the LAN side of the 5268AC are accessible to me (I am dealing with this remotely.) At this point I am totally exasperated.
I have now attempted several thing that have made no difference; VPN tunnel still doesn't work and websites often time-out.
turned on IPv6 on FVS318v2 and the AT&T RG (Pace 5268AC)
switched out the FVS318Gv2 with another one - no change; granted VPN may not work if one unit is broken, but had same issue with web traffic delays
connected network directly to AT&T RG (Pace 5268AC) - web traffice was fast, but of course have no VPN service.
AT&T tech stopped by and said we are having problems because there is a red light at the Ethernet jack on the Pace 5268AC (cable goes to the NetGear device), and that means this device or something on my network is mis-configured. However, he was not able to tell me specifically what was the problem.
Has anyone heard of this, and what mis-configuration is the likely the cause?
Model: FVS318Gv2|ProSafe gigabit 8 port VPN firewall
Hi Froese, If the AT&T RG (Pace 5268AC) have VPN pass through function,please enable it. If the VPN still do not work,suggest do factory default on FVS318Gv2,try again.
It doesn't have briding mode or "VPN passthrough" only "DMZ+", which works for everything else except VPN. I did reset to factory defaults; still no change 😞
I finally had AT&T tech come out and replace the Pace 5268AC with a Motorola NVG589. Set it up as "pass-through" and now everything works fine. The tech said that his was a common problem for business customers using the Pace 5268. Apparently it just can't be made to pass VPN traffic.
