|reply to jdmt |
Re: USG 100 3.0 - VPN Issues?
I also found this exact problem after upgrading my USG200.
I could get one tunnel to build but the other would never do anything but timeout and NO logs at all were created.
I'm using two standard IPSsec tunnels site to site with Zywall 35's on the other end. Never had an issue prior to FW 3.00.
I later found that I could go into the VPN setup page and go to the VPN Gateway tab and then select "inactivate" on the rule that was part of the bad tunnel. Then of course apply that so the rule was indeed inactivated. Then I'd simply go back and highlight the inactivated rule under the VPN Gateway tab again and tell it to "activate" that rule and hit apply. As soon as I'd do that, the tunnel would build and worked fine with full logging for that tunnel as well.
But... I found that after a random period usually between 24 to 36 hours (sometimes as few as three hours), one or both of the tunnels had dropped and would not build again unless I repeated the above steps.
While the tunnels were running, I could go into a machine on the other end of the tunnel via public IP and get into the ZW 35 from that machine and kill the tunnel. As soon as I enabled the tunnel again on the remote end, I could then use the USG200's GUI and tell the tunnels too connect and they would with no problems and with full logging even!
I then started seeing issues where the USG200 with FW 3.00 would drop my WAN1 connection for no reason (again after about 24 to 36 hours usually) and I could not get it to reestablish the WAN 1 connection without a power cycle or GUI restart.
I had another issue that I did not document (wish I did) as I'd pretty much given up on 3.00 at that time and went back to 2.20 AQU.4 and will stay here until they release another new 3.00 version.
Something (many things in my eyes) is borked big time in the first official 3.00 release.
I did give 3.00 another try the other day by resetting too defaults and building a minimal new configuration from scratch with just my two VPN tunnels and still had the same exact VPN issues and no VPN logging when they would fail.
Oh, when I found this problem, I logged into a work machine directly and watched the ZW35 that the USG would not connect too over VPN and it was not receiving any VPN related packets at all while I watched its logs. Nothing, not a peep from the USG200.
I'll just stay on one of the 2.20 versions until I have a real need for IP V6 or when someone confirms that all issues are fixed in an upcoming 3.00 AQU.x release.
This 3.00 version has drove me crazy and was very unstable. When I lost WAN1 for no reason, I could no longer access anything behind the USG200 when trying to come in via WAN2.
I don't have all the firewall rules duplicated between WAN1 and 2 but I had enough that I should have been able to access one machine but nope, nothing so I've given up and will wait for the next release!
When I did the initial upgrade to 3.00, I did watch the process via the console port and also logged it all but the config file translated over just fine with no errors so I was happy but then the problems started. No fun.