dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3840
share rss forum feed

fishfood3

join:2003-07-24
Fairfax, VA

1 edit

USG20 3.0 IPSec SAs never disconnect

I am doing L2TP over IPSec from my iphone and ipad. I setup according to the instructions in the ZyXEL Support Note Doc. Problem is that after I disconnect, the IPSec SA does not. The L2TP portion does break down immediately. End result is after I connect from five different locations (max VPN sessions), no new connections are allowed and I have to login to the USG and manually disconnect the tunnels. Any ideas how to resolve? Thanks


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe
Enable 'Dead Peer Detection' on the USG and this should solve the issue assuming your clients support DPD (which I doubt that SW clients support ... but give it a try).

If that doesn't help then configure 'Connectivity Check' and that should solve the problem.

fishfood3

join:2003-07-24
Fairfax, VA
Thanks Brano. DPD was already enabled. Not sure I get how Connectivity Check works with a "dial up" type arrangement. Seems to make sense for a nailed up connection. Would you recommend using the "check the first and last address in the connection's remote policy" option?

I should also note that on the IPSec monitor, the timeout value for these "dead" connections shows zero. According to the manual, this "timeout" value is how much time remains before the ZyWALL automatically disconnects the IPSec SA.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

1 recommendation

Did some more testing, this really seems like a bug. When L2TP disconnects the IPSec (in my opinion) should disconnect too, but it doesn't.

The connectivity check won't help much with Android (that's what I've tested) because Andorid is blocking all ports and not responding to pings and I haven't found a way to make it pingable through 3g.

BTW: I see this same exact issue with SSL VPN ... once I disconnect the session won't die and soon I run out of concurrent users license.

I'll report it to ZyXel as a bug, please do the same.

fishfood3

join:2003-07-24
Fairfax, VA
said by Brano:

I'll report it to ZyXel as a bug, please do the same.

Will do. Thank you sir.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
Reviews:
·TekSavvy DSL
·Bell Fibe

1 edit
The response from ZyXel is that this issue is already fixed in the date version of the firmware. Meaning in should be in next formal release. ...need to wait and test.

EDIT: I've had the chance to test date version and the issue seems to be fixed.

Toplan

join:2012-07-31
Churdan, IA
I encountered the same problem on USG 100.
What version of firmware have you ? On USG 100 problems found?

Thanks

normeus

join:2012-07-29
Montclair, CA
I have USG 200 with the same issue and latest software (3.00). I have to check every 2 hours or so and manually delete the dead connections. ( VPN connections)

Toplan

join:2012-07-31
Churdan, IA
Yes, my firmware version is: 3.00(AQQ.2)
When i close the vpn connection from the client the value "timeout" set to 0 but if i don't close the connection manually the connection does not close automatically.

The user Brano wrote that he solved by installing the new version of firmware.
This is a public version or a beta version ?


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
The FW update is not public yet (but expected soon).

normeus

join:2012-07-29
Montclair, CA
this is my workaround:
create a user with admin rights and 0 for timeout so you are always logged in.
setup logmein in an internal computer
log in to your zywall
use your phone and logmein to login to your internal computer and delete the ghost clients.

Toplan

join:2012-07-31
Churdan, IA
reply to Brano
said by Brano:

The FW update is not public yet (but expected soon).

Thanks for your information.
We just have to wait for the official update.

I will try to feel Zyxel if they can release the version with the fix. (if possible)

kuzmeech1

join:2008-02-18
Cambridge, MA
reply to fishfood3
yes, observed the same problem with freezing L2TP sessions on our USG 200 and the latest public 3.00(AQU.2)C0.

Scenario to reproduce - put connected client machine to standby instead of explicit VPN disconnect in Windows. After wake up it couldn't connect to VPN, first VPN connection attempt would though kill the old session - looking unable to connect on Windows client, and the second attempt to connect would get connected.

Right now our unit (and the replacement unit with our simple config) after 2-7 days of normal operation is freezing HTTPS admin console (only shows login static screen, freezes after "login" pressed), VPN connectivity to LAN and SSH connectivity to the router itself from LAN (freezing after password entry). It's in semi-sane state still sending daily e-mail report with some bogus graphs and empty numbers. I'm communicating with Zyxel support now and strongly considering getting an old Dell server and building Linux router on Debian..

While it's frozen, fortunately NAT mappings and LAN to WAN connectivity is working, so I still can get to some LAN machines via mapped ports or via Hamachi.

normeus

join:2012-07-29
Montclair, CA
Kuzmeech1:
Call customer service. This is the same problem I had and they sent me a "beta" release firmware. ( see: "Zywall USG 200 will not let me in")Windows client computer shouldn't put adapter to sleep, of course; this is not the full issue but check your adapter to make sure windows does not put it to sleep. There is a patch from microsoft for some windows 7(64) computers. I am posting the link in case your computer has not been patched ( long shot but it worked for at least 2 of my VPN client computers )
KB Article Number(s): 980399
Language: All (Global)
Platform: x64
Location: (http://hotfixv4.microsoft.com/Windows%207/WindowsServer%202008%20R2/sp1/Fix304233/7600/free/408288_intl_x64_zip.exe)
 
The firewall should log you off but it is not doing it.
I have patched the system with new firmware so I will keep you posted.
Norm.


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
reply to fishfood3
said by fishfood3:

I am doing L2TP over IPSec from my iphone and ipad.

this issue is one of several that I gave up and run a Mac mini with $20 server.app for my L2TP. After several iterations of Zyxel L2TP it might be the last reason for me to hold out, but I'm glad it's running without issue on my Mac server. Looking forward to reports of Zyxel solving the L2TP annoyances once and for all.


Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
kudos:11
The beta FW is fixing the L2TP issues (can't comment on OSX though).
PM me if you want to try it.


bbarrera
Premium,MVM
join:2000-10-23
Sacramento, CA
kudos:1
Thanks for the offer, but I'm very busy at work. I've tested ZyWALL L2TP compatibility with OSX/iOS too many times over the years, and never happy with result. Running L2TP on a Mac server is so easy... and its only a $20 upgrade with latest OSX release.

Gossi

join:2012-08-16
reply to Brano
I tested the issue on a ZyWALL USG 20W with the beta firmware, works like a treat

Thanks you very much for sharing the beta, Brano!

Beat