WIKIABOUT

FOR TIPS, gUIDES & TUTORIALS

subscribe to our Youtube

GO TO YOUTUBE

14455 questions

17168 answers

28195 comments

0 members

Most popular tags

rut955 rut240 rut950 rutx11 rms vpn to openvpn wifi not sms trb140 firmware connection - ipsec on rutx12 rutx09 modbus
We are migrating to our new platform at https://community.teltonika.lt. Moving forward, you can continue discussions on this new platform. This current platform will be temporarily maintained for reference purposes.

Different VPN Problems with TRB140 and Palo Alto

0 votes
424 views 2 comments
by anonymous

Hello, 

we have problems with our TRB140, of which we have over 100 units in use.

Over time, 3 different firmware versions are in use. All TRB set up an IPSEC Site2Site VPN to the HQ by LTE and connect to one and the same PaloAlto firewall (PA-820) where they all are subject to the same set of rules there.

The following versions are used

00.01.05

02.06.1

07.01.2

All routers, regardless of fw, have the following settings

Due to the changing IP of the LTE connection, only TRB can initiate the tunnel setup - so we we are using AGGRESSIVE Mode.

And now the problems :-)

 

The data behind the TRB are retrieved from the HQ in a PULL process, which rolls over each location.

If a TRB operated with the fw 02.06.1 or higher and no data is requested for a certain period, the tunnel is cleared down. With a bit of luck, the TRB will rebuild it after the lifetime has expired - as a fallback, all routers restart at 11:00 pm 

We were not able to test the stability under IKEv2 becauce oft he problems from above

As a workaround, we ping all TRBs every 5 minutes - but this consumes unnecessary traffic which we absolutely must avoid.

Does anyone have any ideas on how we can troubleshoot further?

1 Answer

0 votes
by anonymous

Hello,

Basically IKEv2 does not support "Aggressive" mode. You should not use this. If needed, choose IKEv1, which supports "MAIN" and "Aggressive" modes.

You can use DPD for tunnel stability. Dead Peer Detection function used during Internet Key Exchange (IKE) to detect a "dead" peer. It used to reduce traffic by minimizing the number of messages when the opposite peer in unavailable and as failover mechanism. You can enable this feature on the IPsec > Advances settings page.

Best regards.

by anonymous
Hello and thank you for your answer.

My biggest problem with IKEv2 is that I don't get any data about the tunnel, although it was established - at least that's what the sPalo Alto Log says. If I switch back to IKEv1 on the TRB and the PA and all other settings remain untouched, the data transfer works.

Do you have an idea for this?
by anonymous
Hello FrankS.

Could you attach a troubleshoot file from each firmware version to your original comment (you can attach files by editing them). Files are visible only to the engineers.

Regards.