dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9542
share rss forum feed

jdmt
Premium
join:2002-05-06
Seattle, WA

USG 100 3.0 - VPN Issues?

Has anyone had issues getting VPN to work after upgrading to 3.0?

I upgraded my spare USG100 to 3.0 and can no longer connect site-site VPN tunnels to my production USG200 running 2.20.

Stange thing is, neither device shows any log activity. The connection attempt just times out with no further fanfare or log activity. Strange. I've checked all of the normal stuff.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Did any settings change on the default side to affect VPN??

jdmt
Premium
join:2002-05-06
Seattle, WA
All of the settings look as they should...I am not seeing any major changes to the VPN options. What is most strange is the lack of any logging. The target USG200 is also not showing any activity...it does from other devices connecting though, so it would appear to me that the upgraded USG100 isn't even atempting to connect...

rpht

join:2000-12-28
Fort Myers, FL

1 edit
I have exactly the same issue with my USG 50. The only way I could get it to connect was to reboot the router. Once the connection drops it requires another reboot in order to connect. There is nothing in the log to show it tried to connect.

u475700
Premium
join:2004-02-16
reply to jdmt
I also encountered this issue with a USG20 after upgrading to 3.0. Finally reverted back to 2.21 to circumvent it.


meowBB

join:2002-01-21
Hayward, CA
reply to jdmt
L2TP connecting via iOS stopped working after upgrading to v3 (USG200).


Brad Bishop
Premium
join:2002-09-27
Atlanta, GA
reply to jdmt
Two things I've noticed with V3.0 (USG50):

- I can't get L2TP/IPSec to work - just get no response and I've checked the settings, firewall, etc. No luck.

- Reverting to previous configs also seems to trip it up. The config will error out (when it was OK before) or it seems to lock up and I have to reboot it.

I'm tempted to go back to v2.1 until they get the issues sorted.

Oh, the migration of my config from v2.1 to v3.0 was not a success, either. It's like there is something wrong with their saving of a config or backing up of a config. Not sure what, really, as I haven't dug into the individual files.

polarisdb

join:2004-07-12
USA
reply to jdmt
I haven't been able to get L2TP working on my USG 50 either. I followed the example in section 4.6.1 of the User's Guide as well as this iOS doc, and I can't get Windows or iOS clients to connect successfully.

For Windows XP/7, I get "[SA] : Tunnel [Default_L2TP_VPN_Connection] compatible IKE rule mismatch" despite configuring the Phase 2 stuff as per the examples and for iOS I get "SPI:0x0 SEQ:0x0 No rule found, Dropping packet" followed up by a "User L2TP-test has been denied from L2TP service.(Incorrect Username or Password)" despite the fact that this account/password works fine with my existing IPSEC connection.


meowBB

join:2002-01-21
Hayward, CA
reply to jdmt
My L2TP works and site to site ipsec works in v3.

»USGs firmwares


gargamel

@systeamnat.se
Some people, I among them, seem to have a working connection but a flawed routing, ending up with IPSec errors like
SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=152]

My routing is an incoming tunnel for Default_L2TP_VPN_Connection for any user, dest, etc. Next hop is Auto and DSCP masking set to preserve, and the SNAT is outgoing-interface.

This worked under 2.20. Can it be the culprit now?

Gate Array

join:2012-03-06
reply to jdmt
I got same problem
I had to rolled back to 2.20.rev6

It was not possible to connect using GreenBow ver 3.00

jdmt
Premium
join:2002-05-06
Seattle, WA
reply to meowBB
Good to hear your's is still working - just curious, do you see IKE and IPSEC activity in your logs? On my device, no IKE or IPSEC logs are generated during the "connection attempt" which leads me to believe no attempt is actually being made. Curious if that is a symptom of possibly another issue in of itself.


meowBB

join:2002-01-21
Hayward, CA
said by jdmt:

Good to hear your's is still working - just curious, do you see IKE and IPSEC activity in your logs? On my device, no IKE or IPSEC logs are generated during the "connection attempt" which leads me to believe no attempt is actually being made. Curious if that is a symptom of possibly another issue in of itself.

Yes, I see the IKE logs. I thing you can try is to clean all the browser cache and cookies before the upgrade. Then, clean all the cache and cookies after the upgrade. If that still doesn't work. Then you can try to load the default settings to v2.22 then do a upgrade as "Brano" suggested.


SuperTechie

@comcastbusiness.net
reply to jdmt
After the 3.0 upgrade on a USG 100 & 200, IPsec & SSL VPN's work better than ever. Cleared up issues with the SSL VPN EPS not working with the latest Java, and on the IPSec side my users are reporting better stability than ever. We used to have trouble with the IPSec VPN timing out every hour or so, and this appears to now be fixed. No trouble at all interconnecting V3 IPSec VPNs to V2.

Looks like the only trouble area is L2TP VPN's from reading the other posts. I don't use L2TP, so did not test.

Overall 2 thumbs up.


superataru

join:2004-12-07
Kearny, NJ
reply to jdmt
Hi.
If this could help.
I'm still waiting an answer for the crash of my two HA Usg100s at the HQ. Still with a sub-patch of 2.20AQQ6 (some problem with authentication via SSL), but started updating remotes ...

Yesterday i updated on USG with 3 site-to-site VPNs and some SSL to IPSEC connections. Local are different VLANS.
It updated in 5mins and 30 seconds.
VPNs are working fine. No problems.

Mmmm

jdmt
Premium
join:2002-05-06
Seattle, WA
Just downgraded to 2.20 AQQ.6 and all is well again. Sigh.


superataru

join:2004-12-07
Kearny, NJ
I lost a part of message i wrote upper in the post.
During my firts attempt to upgrade USG via console (the second one, as the first from WEB GUI failed ...), i reported some error messages because of dead configuration's settings (AD no more actives, some test SSL with no workin' elements and so on.) on which updating was stopping.
I removed them from startup-config.conf and updating went on, till zysh crash.
Maybe i got other "wrong" settings for the 3.00 requirements.

Dunno if i explained well what i mean.


gargamel

@systeamnat.se
reply to jdmt
Ok, so I got it to work.

The issue is that 3.0 is more picky when it comes to allowing traffic through. In 3.0 the L2TP ports need to be allowed explicitly and the IP Address Pool needs to be separate from the one used by the DHCP. (At least this worked for me.)

What I did was making sure that I have a rule from IPSec_VPN to ZyWall allowing all kinds of L2TP related traffic (AH, ESP, IKE, L2TP, NATT), and then I made sure that the IP pool used for the IPSec_VPN started where the DHCP ended. That did the trick.

Hope this can help anyone experiencing the dropped packages.


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
Gargament, look at Branos post in the other threads. Mostly a matter of creating an additional firewall rule to allow l2tp (after vpn tunnel established), out of the tunnel or something to that effect.

tollota

join:2012-04-02
Alexandria, OH
reply to gargamel
I have the same issue, with an usg100 (3.00(AQQ.0) / 1.08) but routing from Lan1 to ipsecVPN.

He says:
Error / IPSec / SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=3] / 192.168.18.10 / 192.168.54.254

Policy Route was set from "any" to "net-54" and next hop to "vpn-tunnel" and "vpn-54"

Before changing the firmware version, it worked...

kruser
Premium
join:2002-06-01
Eastern MO
reply to jdmt
I also found this exact problem after upgrading my USG200.

I could get one tunnel to build but the other would never do anything but timeout and NO logs at all were created.

I'm using two standard IPSsec tunnels site to site with Zywall 35's on the other end. Never had an issue prior to FW 3.00.

I later found that I could go into the VPN setup page and go to the VPN Gateway tab and then select "inactivate" on the rule that was part of the bad tunnel. Then of course apply that so the rule was indeed inactivated. Then I'd simply go back and highlight the inactivated rule under the VPN Gateway tab again and tell it to "activate" that rule and hit apply. As soon as I'd do that, the tunnel would build and worked fine with full logging for that tunnel as well.
But... I found that after a random period usually between 24 to 36 hours (sometimes as few as three hours), one or both of the tunnels had dropped and would not build again unless I repeated the above steps.
While the tunnels were running, I could go into a machine on the other end of the tunnel via public IP and get into the ZW 35 from that machine and kill the tunnel. As soon as I enabled the tunnel again on the remote end, I could then use the USG200's GUI and tell the tunnels too connect and they would with no problems and with full logging even!

I then started seeing issues where the USG200 with FW 3.00 would drop my WAN1 connection for no reason (again after about 24 to 36 hours usually) and I could not get it to reestablish the WAN 1 connection without a power cycle or GUI restart.

I had another issue that I did not document (wish I did) as I'd pretty much given up on 3.00 at that time and went back to 2.20 AQU.4 and will stay here until they release another new 3.00 version.
Something (many things in my eyes) is borked big time in the first official 3.00 release.
I did give 3.00 another try the other day by resetting too defaults and building a minimal new configuration from scratch with just my two VPN tunnels and still had the same exact VPN issues and no VPN logging when they would fail.
Oh, when I found this problem, I logged into a work machine directly and watched the ZW35 that the USG would not connect too over VPN and it was not receiving any VPN related packets at all while I watched its logs. Nothing, not a peep from the USG200.

I'll just stay on one of the 2.20 versions until I have a real need for IP V6 or when someone confirms that all issues are fixed in an upcoming 3.00 AQU.x release.

This 3.00 version has drove me crazy and was very unstable. When I lost WAN1 for no reason, I could no longer access anything behind the USG200 when trying to come in via WAN2.
I don't have all the firewall rules duplicated between WAN1 and 2 but I had enough that I should have been able to access one machine but nope, nothing so I've given up and will wait for the next release!

When I did the initial upgrade to 3.00, I did watch the process via the console port and also logged it all but the config file translated over just fine with no errors so I was happy but then the problems started. No fun.