|
Another USG 50 newb...Cisco VPN Client getting droppedI recently purchased a new Zywall USG50 for home, everything has been working fine until I decided to work from home. My work laptop is using Cisco VPN Client 4.7 to connect to the office, but I keep getting kicked off vpn every 3-5 minutes. Everything works fine if I put my old router back online, but I'm hoping I dont have to do that.
I even attempted to DISABLE the FIREWALL to see if that would help, but same results. Keep getting kicked off my cisco vpn. Hoping someone can assist and teach a newb a fe new tricks. Thanks much...
26 2012-12-14 14:43:36 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=24] XXX.XXX.XXX.XX:4500 XX.XX.XX.XXX:4500 ipsec 27 2012-12-14 14:43:32 info IKE [COOKIE] Invalid cookie, no sa found [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG 28 2012-12-14 14:43:32 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG 29 2012-12-14 14:43:32 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=2] 12.230.209.70:4500 XXX.XXX.XXX.XX:4500 ipsec 30 2012-12-14 14:43:24 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=14] XXX.XXX.XXX.XX:4500 XXX.XXX.XXX.XX:4500 ipsec 31 2012-12-14 14:43:17 info IKE [COOKIE] Invalid cookie, no sa found [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG 32 2012-12-14 14:43:17 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG 33 2012-12-14 14:43:17 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=4] 12.230.209.70:4500 XXX.XXX.XXX.XX:4500 ipsec 34 2012-12-14 14:43:13 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=7] XXX.XXX.XXX.XX:4500 XXX.XXX.XXX.XX:4500 ipsec 35 2012-12-14 14:43:04 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet 12.230.209.70:4500 XXX.XXX.XXX.XX:4500 ipsec 36 2012-12-14 14:43:02 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=17] XXX.XXX.XXX.XX:4500 XXX.XXX.XXX.XX:4500 ipsec 37 2012-12-14 14:43:02 info IKE [COOKIE] Invalid cookie, no sa found [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG 38 2012-12-14 14:43:02 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG 39 2012-12-14 14:42:51 info IKE [COOKIE] Invalid cookie, no sa found [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG 40 2012-12-14 14:42:51 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
|
|
bbarrera MVM join:2000-10-23 Sacramento, CA |
Try disabling IPSec VPN on the USG50. |
|
|
Disabled and rebooted router. Still getting kicked off my work vpn client. |
|
|
SuperTechie to kasper501
Anon
2012-Dec-14 11:07 am
to kasper501
Not sure from what is posted, but at 1st glance it looks like your USG is trying to negotiate the Cisco IPsec VPN instead of your workstation client. You might check to disable or change any VPN configs so that the USG doesn't try to negotiate the VPN. |
|
|
I went to Configuration --> VPN and made sure that everything was disabled, but I'm still getting dropped. Here's another log dump after I disabled IPsec VPN in my router configuration.
71.74.XXX.XXX = MY WAN IP 170.218.XXX.XX = WORK VPN Server IP
# Time Priority Category Message Source Source Interface Destination Destination Interface Protocol Note 1 2012-12-14 16:19:19 info IKE [COOKIE] Invalid cookie, no sa found 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 2 2012-12-14 16:19:19 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 3 2012-12-14 16:19:10 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=20] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec 4 2012-12-14 16:19:03 info IKE [COOKIE] Invalid cookie, no sa found [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 5 2012-12-14 16:19:03 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 6 2012-12-14 16:18:59 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=9] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec 7 2012-12-14 16:18:47 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=14] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec 8 2012-12-14 16:18:47 info IKE [COOKIE] Invalid cookie, no sa found [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 9 2012-12-14 16:18:47 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 10 2012-12-14 16:18:36 notice Firewall priority:3, from WAN to ZyWALL, TCP, service others, DROP [count=3] 183.160.137.42:52699 wan1 71.74.XXX.XXX:8080 tcp ACCESS BLOCK 11 2012-12-14 16:18:36 info IKE [COOKIE] Invalid cookie, no sa found [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 12 2012-12-14 16:18:36 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=10] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec 13 2012-12-14 16:18:36 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 14 2012-12-14 16:18:25 info IKE [COOKIE] Invalid cookie, no sa found [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 15 2012-12-14 16:18:25 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG 16 2012-12-14 16:18:23 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=14] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec 17 2012-12-14 16:18:12 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=8] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec
|
|
|
to kasper501
Did you reboot after making the changes?
k |
|
|
Yes, I did reboot after each change. Thanks. |
|
bbarrera MVM join:2000-10-23 Sacramento, CA |
From the logs it sure looks like your router config has: - PORT FORWARDING of UDP ports 500 and 4500 - FIREWALL rule allowing UDP ports 500 and 4500
its also possible that IPSec (protocol 50) is involved, off the top of my head I can't recall if that is also configured in port forwarding and firewall. |
|
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Dec-14 4:17 pm
What is said above, check you default FW rules, they have IKE,IPSec services included, remove them. |
|
1 edit |
I don't have anything being forwarded, so I'm confused as where to look for those "IKE,IPSec services". Ive included a screen shot of my "Default_Allow_WAN_To_ZyWALL" Service Group rules. Can I provide any other informatin? |
|
kasper501 |
Arghgh....I've been fighting with this all day. I kind of lost it after my ATT MicroCell began getting kicked off the network. Emailed Zyxel for support to see whether they might be able to provide some insight, but at this point I setup my Netgear WND4000 again and everything is fkn working. /arghgh, want to smash! |
|
BranoI hate Vogons MVM join:2002-06-25 Burlington, ON |
Brano
MVM
2012-Dec-14 8:54 pm
Check your PM |
|
bbarrera MVM join:2000-10-23 Sacramento, CA |
to kasper501
NATT is your problem, remove it from the Default_Allow_WAN_To_ZyWALL rule. |
|
|
Thanks, guys!!!!
I'll try tomorrow. |
|
bbarrera MVM join:2000-10-23 Sacramento, CA |
NATT is NAT Traversal and its UDP port 4500, which you can see from the logs is involved with your VPN client getting caught in the firewall. |
|
1 edit |
BBARRERA...Thanks so much. Thank you, everyone, for your assistance!!! Its finally working, I'm no longer getting disconnected from my work vpn client. I've been connected for over an hour now. Its sites like this that make the internet so awesome. I do have one more question....not sure if I should start another post, its related to my AT&T microcell. I dont have cell coverage in my house so I need the microcell to get a cell connection. My MicroCell has been dropping connection too since I setup the new router. I was thinking of using the DMZ port; is this how I should configure the default DMZ rules to allow the following ports to pass through? 123/UDP: NTP timing (NTP traffic) 443/TCP: Https over TLS/SSL for provisioning and management traffic 4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic) 500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used) 4500/UDP: After NAT detection, 4500/UDP is used |
|
bbarrera MVM join:2000-10-23 Sacramento, CA |
If you have only 1 public IP, I can't think of any advantage in setting up DMZ. Just forward those ports to your microcell and then likely have problems with your work laptop VPN. |
|
|
to kasper501
Microcell does not require a DMZ, since you've already taken NATT and IKE out of the default rule that normally forces those inbound to the Zywall, you'll be good.
Microcell needs to make a VPN tunnel to AT&T's datacenter, almost identical to how your machine makes a VPN tunnel to your office. |
|