WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

RUT950 IPSec connection unstable

0 votes
2,896 views 3 comments
by

Hello,

We have a system where are many RUT950 and RUT240 modems (>50), that connect to a central vpn router. Modem connections are configured as IPsec dialup tunnels. They all connect to server successfully, but problem is that RUT950 modems drop the tunnel sporadically, for once a day or over a day.  The firmware in RUT950 is latest (06.00.4). Status log:

Wed Mar 27 11:55:24 2019 daemon.info syslog: 12[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Wed Mar 27 11:55:24 2019 daemon.info syslog: 12[NET] sending packet: from 10.156.130.235[500] to xxx.xxx.xxx.xxx[500] (469 bytes)
Wed Mar 27 11:55:24 2019 daemon.info syslog: 14[CFG] received stroke: add connection 'Tunnel_1'
Wed Mar 27 11:55:24 2019 daemon.info syslog: 14[CFG] added child to existing configuration 'Tunnel'
Wed Mar 27 11:55:24 2019 daemon.info syslog: 16[CFG] received stroke: initiate 'Tunnel_1'
Wed Mar 27 11:55:24 2019 daemon.info syslog: 05[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.156.130.235[500] (528 bytes)
Wed Mar 27 11:55:24 2019 daemon.info syslog: 05[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]
Wed Mar 27 11:55:24 2019 daemon.info syslog: 05[IKE] received NAT-T (RFC 3947) vendor ID
Wed Mar 27 11:55:24 2019 daemon.info syslog: 05[IKE] received DPD vendor ID
Wed Mar 27 11:55:24 2019 daemon.info syslog: 05[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Wed Mar 27 11:55:24 2019 daemon.info syslog: 05[IKE] received FRAGMENTATION vendor ID
Wed Mar 27 11:55:24 2019 daemon.info syslog: 05[IKE] received FRAGMENTATION vendor ID
Wed Mar 27 11:55:24 2019 user.emerg syslog: uci: Entry not found
Wed Mar 27 11:55:24 2019 user.emerg syslog: uci: Entry not found
Wed Mar 27 11:55:24 2019 user.emerg syslog: sh: 3: unknown operand
Wed Mar 27 11:55:24 2019 user.emerg syslog: sh: 2: unknown operand
Wed Mar 27 11:55:24 2019 user.emerg syslog: sh: 1: unknown operand
Wed Mar 27 11:55:25 2019 daemon.info syslog: 05[IKE] local host is behind NAT, sending keep alives
Wed Mar 27 11:55:25 2019 daemon.info syslog: 05[IKE] IKE_SA Tunnel[1] established between 10.156.130.235[yyy]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
Wed Mar 27 11:55:25 2019 authpriv.info syslog: 05[IKE] IKE_SA Tunnel[1] established between 10.156.130.235[yyy]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
Wed Mar 27 11:55:25 2019 daemon.info syslog: 05[IKE] scheduling reauthentication in 86050s
Wed Mar 27 11:55:25 2019 daemon.info syslog: 05[IKE] maximum IKE_SA lifetime 86230s
Wed Mar 27 11:55:25 2019 daemon.info syslog: 05[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Wed Mar 27 11:55:25 2019 daemon.info syslog: 05[NET] sending packet: from 10.156.130.235[4500] to xxx.xxx.xxx.xxx[4500] (140 bytes)
Wed Mar 27 11:55:25 2019 user.info Messaged[4368]: Start from new event "Output" "Digital relay output off"
Wed Mar 27 11:55:25 2019 user.info Messaged[4377]: Start from new event "Output" "Digital OC output off"
Wed Mar 27 11:55:26 2019 cron.info crond[4409]: crond (busybox 1.28.3) started, log level 5
Wed Mar 27 11:55:26 2019 daemon.info syslog: 05[ENC] generating QUICK_MODE request 1938633588 [ HASH SA No KE ID ID ]
Wed Mar 27 11:55:26 2019 daemon.info syslog: 05[NET] sending packet: from 10.156.130.235[4500] to xxx.xxx.xxx.xxx[4500] (396 bytes)
Wed Mar 27 11:55:26 2019 daemon.info syslog: 08[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.156.130.235[4500] (380 bytes)
Wed Mar 27 11:55:26 2019 daemon.info syslog: 08[ENC] parsed QUICK_MODE response 1938633588 [ HASH SA No KE ID ID ]
Wed Mar 27 11:55:27 2019 daemon.info syslog: 08[KNL] received netlink error: Network is unreachable (128)
Wed Mar 27 11:55:27 2019 daemon.info syslog: 08[KNL] unable to install source route for zzz.zzz.zzz.zzz

I read about similar problem in this forum. Is this this problem caused by firmware or is it configuration problem?

3 Answers

0 votes
by anonymous

Hi,

We have a system where are many RUT950 and RUT240 modems (>50)

Could be possible to get RUT950 and RUT240 IPsec settings?

- connect to a central vpn router

Who is it? Cisco router?

-  They all connect to server successfully, but problem is that RUT950 modems drop the tunnel sporadically, for once a day or over a day.  The firmware in RUT950 is latest (06.00.4).

When this issue appeared? When you upgraded to latest release, did you kept old settings?

by anonymous
Try this:

1. Check DPD on your Fortigate. Set the same in RUT950.

2. Check LAN settings, perhaps you have two identical routers (with the same IPSec settings).

3. "The problem started after the modems with the other equipment were installed", try to disable them temporally and check if issue persist.

If issue persist:

Send to us SSH command output (from RUT2 and RUT9):  cat /etc/config/strongswan

Try to restore one router to default settings and reconfigure it again. Perhaps something went wrong when firmware was upgraded.
0 votes
by anonymous

Dear All,

I would like to join if it is not problem for you. I found 'Fortigate' word in search... :)

We have Fortinet Fortigate 201E and we would like to connect ~30 RUT955 via IPSec VPN.

The first try was successful with one RUT955, but after ~1 minute the pings became timeout. The VPN connection is up according to Forti but while the pings are OK the Forti says Phase2 negotiation errors also. While the pings are OK, there is no gap or missing response (RUT955 on 4G on my desk). After ~1 minute no pings at all. When we bring down and up again the VPN on Forti the pings became OK for another ~1 minute...
What can be the problem?

Forti error message:

date=2019-04-05 time=11:01:24 devname=xxx devid=FGxxxx logid="0101037130" type="event" subtype="vpn" level="error" vd="root" eventtime=1554454883 logdesc="Progress IPsec phase 2" msg="progress IPsec phase 2" action="negotiate" remip=xxxxx locip=xxxxx remport=500 locport=500 outintf="wan1" cookies="3eba90cc15b36328/8af5b7a69d38366c" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" assignip=N/A vpntunnel="teltonika" status="failure" init="remote" mode="quick" dir="inbound" stage=1 role="responder" result="ERROR"

 

by
Hello,

Check the IPSec settings on both devices, they must be exactly same. Different phase1/2 timing parameters will cause tunnel unstabilty. Enable DPD and keepalive on both FG and on RUT. Verify that you can ping FG from RUT side. Take a look at the RUT system log, there might be some helpful information.

Best regards.
by anonymous
Hi,

The settings were the same, we alter the AES and seems to be more stable...

On the other hand we would like to check the logs but we can not access the CLI. We have admin rights for WebUI, but is there any factory set account for CLI? With which password? :)
0 votes
by anonymous
Now we are in CLI. :)

How can we debug the IPsec or where can we find the detailed logs about IPsec VPN? The connection is still unstable, especially after reboot, the previous settings not working.

Sometimes the connection is OK for half of a day, sometimes only for a minute or few pings and that is all. The firmware is the latest for RUT955 (2019.04.05).