- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
VPN no longer working between two FVS318Gv2
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have two FVS318Gv2 at two offices with a VPN tunnel between them that have worked fine until yesterday when the Internet provider was changed at one location. Broadband ISP settings were changed and, under VPN settings, the new WAN IP for location that changed were also changed. Everything works fine (Internet service, port forwarding) except the VPN.
Under, VPN / Connection Status, both sides show that "IPsec SA Established" but no traffic flows over this link now; even a ping from "Monitoring / Diagnostic" (via "Ping through VPN tunnel" to LAN IP of other device) does not work.
Here is the the VPN log from one of the devices:
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=48796823(0x2e89497)
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=13496147(0xcdef53)
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 166.102.171.xxx0]<=>107.221.112.xxx0]
Wed Oct 19 14:58:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=10825899(0xa530ab)
Wed Oct 19 14:58:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=95706496(0x5b45d80)
Wed Oct 19 14:58:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=235429450(0xe085e4a)
Wed Oct 19 14:44:23 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=96003188(0x5b8e474)
Wed Oct 19 14:44:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=54349087(0x33d4d1f)
Wed Oct 19 14:39:46 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=264155747(0xfbeb263)
Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.
Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: delete payload[]
Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=95706496(0x5b45d80)
Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=10825899(0xa530ab)
Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16
Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 166.102.171.xxx[0]<=>107.221.112.xxx[0]
Wed Oct 19 14:10:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.
Wed Oct 19 14:10:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: delete payload[]
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=105406563(0x6486063)
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=235429450(0xe085e4a)
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Responding to new phase 2 negotiation: 166.102.171.xxx[0]<=>107.221.112.xxx[0]
Wed Oct 19 14:10:16 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=102875942(0x621c326)
Wed Oct 19 14:10:16 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=17450749(0x10a46fd)
Wed Oct 19 14:10:15 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Initiating new phase 2 negotiation: 166.102.171.xxx[500]<=>107.221.112.xxx[0]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Sending Informational Exchange: notify payload[608]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: ISAKMP-SA established for 166.102.171.xxx[500]-107.221.112.xxx[500] with spi:a85a6f598f0b9e1d:3d21e27b77064209
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: NAT not detected
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: NAT-D payload matches for 107.221.112.xxx[500]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: NAT-D payload matches for 166.102.171.xxx[500]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: KAME/racoon
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: For 107.221.112.xxx[500], Selected NAT-T version: RFC 3947
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: KAME/racoon
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: DPD
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Received Vendor ID: RFC 3947
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Deleting PH1, Disable the sacreate lock
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: ISAKMP-SA deleted for 166.102.171.xxx[500]-107.221.112.xxx[500] with spi:1d6fcad31f1aee28:4e88030e7378cbf3
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO: Beginning Identity Protection mode.
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I finally had AT&T tech come out and replace the Pace 5268AC with a Motorola NVG589. Set it up as "pass-through" and now everything works fine. The tech said that his was a common problem for business customers using the Pace 5268. Apparently it just can't be made to pass VPN traffic.
All Replies
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Check your inbound firewall rules on both sides of the VPN, make sure there isn't any "ANY"-service inbound rule.
Most of the time when tunnel comes up but traffic not passing it comes down to one of the following;
*Firewall rules
*Static routes
*ISP
You can also try rebooting both of the routers or recreating the VPN.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Thanks. I've of course rebooted both ends numerous times.
- Inbound, I've only got two services: TCP ports 5900-5901 and 10999-11102 on for any IP, all day.
- I have no Static Routes on either end.
- As for the ISP, yes this might be the issue; we changed from Earthlink Busienss to AT&T U-verse yesterday.
Again, everything else is working, even the tunnel comes up, but traffic won't pass through it. It sounds like a routing issue, but even if I try to ping LAN IP of other device using Diagnosics, Ping, "Ping through VPN tunnel" checked and correct VPN Policy selected, it comes up "Ping Failed."
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Hi Froese,
Welcome to the community!
Because the broadband ISP settings were changed on your devices,So suggest to delete all VPN configuration
and recreate it.
Below is the config steps for your reference:
1. Topology:FVS318Gv2-01[WAN]----[WAN]FVS318Gv2-02
2. Go to Security->Firewall->Attack Checks,enable Respond to Ping on Internet Ports on 2 FVS318Gv2
3. Make sure FVS318Gv2-01'WAN can ping FVS318Gv2-02'WAN,can do it on "Monitoring->Diagnostics" page
4. Delete the VPN policies and IKE policies on 2 FVS318Gv2
5. Use VPN Wizard recreate VPN policy
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Thank you, but I have already delete and re-created VPN setting on both sides.
The issue seems to be with the AT&T supplied Pace 5268AC RG. Even though I've put the FVS318Gv2 in the RG's "DMZ+" and disabled everthing else that I could find, it still seems to be blocking GRE packets (although tunnel is set up.)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Hi Froese,
Thanks for your reply.
Could you tell me the internet connection mode,PPPOE,ADSL or other?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
It's ADSL (AT&T U-Verse).
Now I am experiencing other problems: long load times for certain website (sometimes they even time out, but work when re-tried.) Not sure if it's a DNS thing or related to this...which I am begininng to suspect now: something timeing out and resetablishing every couple of seconds (and it seems to affect all Internet traffic).
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Hi Froese,
Suggest you use DDNS.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Our WAN IP from AT&T is not static, but it has not changed since installation nearly 2 weeks ago, and I've read that other U-verse subscribers have reported that their IP didn't change for years, so I don't see why this would be necessay.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Hi Froese,
You can try the following ways:
1.The mode of the dial-up device change to passthrough mode
2.Then,FVS318Gv2 use PPPOE connect to internet
3.Establish IPSec VPN between 2 FVS318Gv2
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Yes, that is what I'd love to do, but it appears that the Pace 5268AC residential gateway (modem) that AT&T supplied can't be placed in bridging mode, so I've put the FVS318Gv2 in its "DMZ+" zone. Both devices have the same WAN IP, and two devices that have port forwarding on the LAN side of the 5268AC are accessible to me (I am dealing with this remotely.) At this point I am totally exasperated.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
I have now attempted several thing that have made no difference; VPN tunnel still doesn't work and websites often time-out.
- turned on IPv6 on FVS318v2 and the AT&T RG (Pace 5268AC)
- switched out the FVS318Gv2 with another one - no change; granted VPN may not work if one unit is broken, but had same issue with web traffic delays
- connected network directly to AT&T RG (Pace 5268AC) - web traffice was fast, but of course have no VPN service.
AT&T tech stopped by and said we are having problems because there is a red light at the Ethernet jack on the Pace 5268AC (cable goes to the NetGear device), and that means this device or something on my network is mis-configured. However, he was not able to tell me specifically what was the problem.
Has anyone heard of this, and what mis-configuration is the likely the cause?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
Hi Froese,
If the AT&T RG (Pace 5268AC) have VPN pass through function,please enable it.
If the VPN still do not work,suggest do factory default on FVS318Gv2,try again.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: VPN no longer working between two FVS318Gv2
It doesn't have briding mode or "VPN passthrough" only "DMZ+", which works for everything else except VPN. I did reset to factory defaults; still no change 😞
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I finally had AT&T tech come out and replace the Pace 5268AC with a Motorola NVG589. Set it up as "pass-through" and now everything works fine. The tech said that his was a common problem for business customers using the Pace 5268. Apparently it just can't be made to pass VPN traffic.