dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
15247
kasper501
join:2011-08-24

kasper501

Member

Another USG 50 newb...Cisco VPN Client getting dropped

I recently purchased a new Zywall USG50 for home, everything has been working fine until I decided to work from home. My work laptop is using Cisco VPN Client 4.7 to connect to the office, but I keep getting kicked off vpn every 3-5 minutes. Everything works fine if I put my old router back online, but I'm hoping I dont have to do that.

I even attempted to DISABLE the FIREWALL to see if that would help, but same results. Keep getting kicked off my cisco vpn. Hoping someone can assist and teach a newb a fe new tricks. Thanks much...


26 2012-12-14 14:43:36 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=24] XXX.XXX.XXX.XX:4500 XX.XX.XX.XXX:4500 ipsec
27 2012-12-14 14:43:32 info IKE [COOKIE] Invalid cookie, no sa found [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
28 2012-12-14 14:43:32 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
29 2012-12-14 14:43:32 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=2] 12.230.209.70:4500 XXX.XXX.XXX.XX:4500 ipsec
30 2012-12-14 14:43:24 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=14] XXX.XXX.XXX.XX:4500 XXX.XXX.XXX.XX:4500 ipsec
31 2012-12-14 14:43:17 info IKE [COOKIE] Invalid cookie, no sa found [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
32 2012-12-14 14:43:17 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
33 2012-12-14 14:43:17 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=4] 12.230.209.70:4500 XXX.XXX.XXX.XX:4500 ipsec
34 2012-12-14 14:43:13 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=7] XXX.XXX.XXX.XX:4500 XXX.XXX.XXX.XX:4500 ipsec
35 2012-12-14 14:43:04 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet 12.230.209.70:4500 XXX.XXX.XXX.XX:4500 ipsec
36 2012-12-14 14:43:02 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=17] XXX.XXX.XXX.XX:4500 XXX.XXX.XXX.XX:4500 ipsec
37 2012-12-14 14:43:02 info IKE [COOKIE] Invalid cookie, no sa found [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
38 2012-12-14 14:43:02 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=3] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
39 2012-12-14 14:42:51 info IKE [COOKIE] Invalid cookie, no sa found [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG
40 2012-12-14 14:42:51 info IKE The cookie pair is : 0x33260ab86ecfa742 / 0x66d1205e15beb187 [count=2] XXX.XXX.XXX.XX:500 XXX.XXX.XXX.XX:4500 IKE_LOG

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera

MVM

Try disabling IPSec VPN on the USG50.
kasper501
join:2011-08-24

kasper501

Member

Disabled and rebooted router. Still getting kicked off my work vpn client.

SuperTechie
@comcastbusiness.net

SuperTechie to kasper501

Anon

to kasper501
Not sure from what is posted, but at 1st glance it looks like your USG is trying to negotiate the Cisco IPsec VPN instead of your workstation client. You might check to disable or change any VPN configs so that the USG doesn't try to negotiate the VPN.
kasper501
join:2011-08-24

kasper501

Member

I went to Configuration --> VPN and made sure that everything was disabled, but I'm still getting dropped. Here's another log dump after I disabled IPsec VPN in my router configuration.

71.74.XXX.XXX = MY WAN IP
170.218.XXX.XX = WORK VPN Server IP


# Time Priority Category Message Source Source Interface Destination Destination Interface Protocol Note
1 2012-12-14 16:19:19 info IKE [COOKIE] Invalid cookie, no sa found 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
2 2012-12-14 16:19:19 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
3 2012-12-14 16:19:10 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=20] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec
4 2012-12-14 16:19:03 info IKE [COOKIE] Invalid cookie, no sa found [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
5 2012-12-14 16:19:03 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
6 2012-12-14 16:18:59 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=9] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec
7 2012-12-14 16:18:47 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=14] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec
8 2012-12-14 16:18:47 info IKE [COOKIE] Invalid cookie, no sa found [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
9 2012-12-14 16:18:47 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=3] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
10 2012-12-14 16:18:36 notice Firewall priority:3, from WAN to ZyWALL, TCP, service others, DROP [count=3] 183.160.137.42:52699 wan1 71.74.XXX.XXX:8080 tcp ACCESS BLOCK
11 2012-12-14 16:18:36 info IKE [COOKIE] Invalid cookie, no sa found [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
12 2012-12-14 16:18:36 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=10] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec
13 2012-12-14 16:18:36 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
14 2012-12-14 16:18:25 info IKE [COOKIE] Invalid cookie, no sa found [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
15 2012-12-14 16:18:25 info IKE The cookie pair is : 0xdd71de7d243c4380 / 0x60dee78e7a546c0d [count=2] 71.74.XXX.XXX:500 170.218.XXX.XX:4500 IKE_LOG
16 2012-12-14 16:18:23 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=14] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec
17 2012-12-14 16:18:12 error IPSec SPI:0x0 SEQ:0x0 No rule found, Dropping packet [count=8] 170.218.XXX.XX:4500 71.74.XXX.XXX:4500 ipsec
Kirby Smith
join:2001-01-26
Derry, NH

Kirby Smith to kasper501

Member

to kasper501
Did you reboot after making the changes?

k
kasper501
join:2011-08-24

kasper501

Member

Yes, I did reboot after each change. Thanks.

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera

MVM

From the logs it sure looks like your router config has:
- PORT FORWARDING of UDP ports 500 and 4500
- FIREWALL rule allowing UDP ports 500 and 4500

its also possible that IPSec (protocol 50) is involved, off the top of my head I can't recall if that is also configured in port forwarding and firewall.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

What is said above, check you default FW rules, they have IKE,IPSec services included, remove them.
kasper501
join:2011-08-24

1 edit

kasper501

Member

Click for full size
I don't have anything being forwarded, so I'm confused as where to look for those "IKE,IPSec services".

Ive included a screen shot of my "Default_Allow_WAN_To_ZyWALL" Service Group rules. Can I provide any other informatin?
kasper501

kasper501

Member

Arghgh....I've been fighting with this all day. I kind of lost it after my ATT MicroCell began getting kicked off the network. Emailed Zyxel for support to see whether they might be able to provide some insight, but at this point I setup my Netgear WND4000 again and everything is fkn working. /arghgh, want to smash!

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Check your PM

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera to kasper501

MVM

to kasper501
NATT is your problem, remove it from the Default_Allow_WAN_To_ZyWALL rule.
kasper501
join:2011-08-24

kasper501

Member

Thanks, guys!!!!

I'll try tomorrow.

bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera

MVM

NATT is NAT Traversal and its UDP port 4500, which you can see from the logs is involved with your VPN client getting caught in the firewall.
kasper501
join:2011-08-24

1 edit

kasper501

Member

Click for full size
BBARRERA...Thanks so much. Thank you, everyone, for your assistance!!! Its finally working, I'm no longer getting disconnected from my work vpn client. I've been connected for over an hour now. Its sites like this that make the internet so awesome.

I do have one more question....not sure if I should start another post, its related to my AT&T microcell. I dont have cell coverage in my house so I need the microcell to get a cell connection. My MicroCell has been dropping connection too since I setup the new router. I was thinking of using the DMZ port; is this how I should configure the default DMZ rules to allow the following ports to pass through?

123/UDP: NTP timing (NTP traffic)
443/TCP: Https over TLS/SSL for provisioning and management traffic
4500/UDP: IPSec NAT Traversal (for all signaling, data, voice traffic)
500/UDP: IPSec Phase 1 prior to NAT detection (after NAT detection, 4500/UDP is used)
4500/UDP: After NAT detection, 4500/UDP is used


bbarrera
MVM
join:2000-10-23
Sacramento, CA

bbarrera

MVM

If you have only 1 public IP, I can't think of any advantage in setting up DMZ. Just forward those ports to your microcell and then likely have problems with your work laptop VPN.

imanon
@comcast.net

imanon to kasper501

Anon

to kasper501
Microcell does not require a DMZ, since you've already taken NATT and IKE out of the default rule that normally forces those inbound to the Zywall, you'll be good.

Microcell needs to make a VPN tunnel to AT&T's datacenter, almost identical to how your machine makes a VPN tunnel to your office.