apsinkus
join:2002-06-25
Chicago, IL
| BEFSX41 beta firmware and VPN constant crashing
I tried to use latest beta of BEFSX41 firmware (version 1.44.11_0416) and when I had 1024-bit group with MD5 authentication (encryption or no encryption made no difference) forced constant reboots and crashes of the BEFSX41. I have PPPoE on BEFSX41 side and BEFVP41 (1.41.0) on the other side of VPN on regular SDSL. I know it was VPNs fault, because logs were showing crash of VPN before anything else and my pings to VPN would go down first before the unit would. Only after I downgraded firmware to official one all those problems went away. |
|
Flogator
Premium,MVM
join:2003-01-19
Cantley, QC | Re: BEFSX41 beta firmware and VPN constant crashin
Interesting because I have never see this problem and I have a sporadic VPN that I bring up every now and then without any problems. I am using 1024-bit with MD5 authentication (with 3DES encryption) on both ends and it is working like a charm. |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON | reply to apsinkus
Re: BEFSX41 beta firmware and VPN constant crashing
I've just set-up a tunnel between two BEFSX41s and I have to concur that with 1024 3DES it's crashing quite often.
The tunnel was up only for one night so I'll give it more thorough testing and report. |
|
apsinkus
join:2002-06-25
Chicago, IL | Re: BEFSX41 beta firmware and VPN constant crashin
Not only with compression, but also without, something there is screwey. I have a feeling they tried to fix that previous bug with some UDP related problem they had in VPNs and it worked in BEFVP41, but it did not in BEFSX41 |
|
Soujiro Seta
Hiten Mitsurugi Ryuu
join:2003-05-29
Santa Monica, CA | reply to apsinkus
Re: BEFSX41 beta firmware and VPN constant crashing
ive heard that linksys has a beta for that SX41 which is the 1.44.13 have you tried using it? |
|
Brano
I hate Vogons
Premium,MVM
join:2002-06-25
Burlington, ON
 ·TekSavvy Solutions..
| said by Soujiro Seta  :
ive heard that linksys has a beta for that SX41 which is the 1.44.13 have you tried using it?
Yes. That one has a broken loopback which I need  |
|
Flogator
Premium,MVM
join:2003-01-19
Cantley, QC
·Acanac
 ·Videotron
| reply to Soujiro Seta
In 1.44.13, VPN is even worst since NetBIOS broadcast does not work. Basically, Linksys cheated and filled the UDP checksum of the NetBIOS packets with all ones instead of properly computing it. End result is that Windows is dropping these packets (I tried Windows 98SE, 2000 and XP). Got no idea why they manage to break this since it was properly working in 1.44.11t and before.
By the way, I ran throughput tests while my VPN was up between my two BEFSX41 (one on cable and one on xDSL). Did not experience any crashes. My VPN settings are:
- Remote Security Gateway on cable router: FQDN
- Remote Security Gateway on xDSL router: Any
- Encryption: 3DES
- Authetication: MD5
- Key Management: Auto IKE with PFS
- Key Lifetime 3600 seconds
- Advanced Operation Mode: Main mode
- Advanced Phase 1 Proposal: 3DES/SHA/1024bit/3600sec
- Advanced Phase 2 Proposal: 3DES/MD5/1024bit/3600sec
- Advanced Other Options: NetBIOS/Anti-Replay/Keep-Alive
Mind you, I usually keep the tunnel only for an hour or two then tear it down. I will keep it up longer this time and report my findings tomorrow. |
|
Flogator
Premium,MVM
join:2003-01-19
Cantley, QC
·Acanac
·Videotron
| Just to give you an update, after precisely one hour, the VPN tunnel got re-negociated. This is because of my miscellaneous lifetime I used (3600 sec = 1 hour). I have changed all lifetime to 86400 (1 day) for the purpose of this test.
If what you guys are seeing is these re-negociations, I don't consider this a crash. What I consider as a crash is when the logs report "System is warm start" for no apparent reasons. I am definitively not seeing these at the moment.
However, I discovered a small glitch. When I changed the key lifetime on the xDSL router (which is the remote end-point for me), the VPN failed to recover after applying the new settings. This is because my cable router (the local one in my case) is using FQDN for the remote end-point for which its IP address got changed on restart. The glitch is that the BEFSX41 will not re-resolve the FQDN after the tunnel went down. That could explain lots of problem other users might have experienced. In that case, I have to hit the apply button on the router using FQDN.
I will post more on these topics tomorrow. |
|
Flogator
Premium,MVM
join:2003-01-19
Cantley, QC
·Acanac
·Videotron
| reply to apsinkus
Ok, I had my VPN setup between my two routers for the whole day. Got no restart, no re-negociation, no problem, had light traffic going through all day. All with the configuration from my previous post.
Can anyone provide more information as to what the problem really is and how does it manifest itself? |
|
