8904 questions

10557 answers

16569 comments

15946 members

0 votes
1,189 views 1 comments
by

Hello All,

Something odd is going on here. I had RUT500 for 2 years and my VPN was working with no issues between my EdgeMAX.

I have replaced RUT500 > RUT240 and VPN was ok for couple weeks then it failed. l took tcpdump from EdgeMAX as well as from RUT240 and was not able to see any traffic or attempts to establish the tunnel from the RU240 (it is set in active mode, EdgeMAX passively waiting for the IKE packets). Weird thing is that the RUT is attempting to establish the VPN using the IPv6 (if l am reading logs correctly):

Sun Oct 28 19:29:47 2018 daemon.info syslog: 13[IKE] sending retransmit 5 of request message ID 0, seq 1

Sun Oct 28 19:31:03 2018 daemon.info syslog: 12[IKE] giving up after 5 retransmits

Sun Oct 28 19:31:03 2018 daemon.info syslog: 12[IKE] peer not responding, trying again (9/0)

Sun Oct 28 19:31:03 2018 daemon.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:31:03 2018 daemon.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:31:03 2018 authpriv.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:31:03 2018 authpriv.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:31:07 2018 daemon.info syslog: 14[IKE] sending retransmit 1 of request message ID 0, seq 1

Sun Oct 28 19:31:14 2018 daemon.info syslog: 15[IKE] sending retransmit 2 of request message ID 0, seq 1

Sun Oct 28 19:31:27 2018 daemon.info syslog: 06[IKE] sending retransmit 3 of request message ID 0, seq 1

Sun Oct 28 19:31:51 2018 daemon.info syslog: 05[IKE] sending retransmit 4 of request message ID 0, seq 1

Sun Oct 28 19:32:33 2018 daemon.info syslog: 08[IKE] sending retransmit 5 of request message ID 0, seq 1

Sun Oct 28 19:33:48 2018 daemon.info syslog: 07[IKE] giving up after 5 retransmits

Sun Oct 28 19:33:48 2018 daemon.info syslog: 07[IKE] peer not responding, trying again (10/0)

Sun Oct 28 19:33:49 2018 daemon.info syslog: 07[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:33:49 2018 daemon.info syslog: 07[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:33:49 2018 authpriv.info syslog: 07[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:33:49 2018 authpriv.info syslog: 07[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:33:53 2018 daemon.info syslog: 09[IKE] sending retransmit 1 of request message ID 0, seq 1

Sun Oct 28 19:34:00 2018 daemon.info syslog: 16[IKE] sending retransmit 2 of request message ID 0, seq 1

Sun Oct 28 19:34:13 2018 daemon.info syslog: 11[IKE] sending retransmit 3 of request message ID 0, seq 1

Sun Oct 28 19:34:37 2018 daemon.info syslog: 10[IKE] sending retransmit 4 of request message ID 0, seq 1

Sun Oct 28 19:35:19 2018 daemon.info syslog: 13[IKE] sending retransmit 5 of request message ID 0, seq 1

Sun Oct 28 19:36:34 2018 daemon.info syslog: 12[IKE] giving up after 5 retransmits

Sun Oct 28 19:36:34 2018 daemon.info syslog: 12[IKE] peer not responding, trying again (11/0)

Sun Oct 28 19:36:37 2018 daemon.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:36:37 2018 daemon.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:36:37 2018 authpriv.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Sun Oct 28 19:36:37 2018 authpriv.info syslog: 12[IKE] initiating Main Mode IKE_SA EdgeMAX[1] to 64:ff9b::522f:833a

Any ideas?

UPDATE: 

RUT240 has Remote VPN endpoint set for DNS name. As soon as l changed it to the IP, VPN came back online with no issue. While pinning the DNS name of the remote peer it resolves to the correct IP. So l am not sure if it is ISP DNS or device`s issue:


Thanks,

Mykhaylo

1 Answer

0 votes
by
HI,

Did you use keep alive in ipsec configuration on RUT2?:

https://wiki.teltonika.lt/view/VPN#IPsec

Also, use latest release firmware:

https://wiki.teltonika.lt/view/RUT2xx_Firmware
Best answer
by

Hello,

Yes, l do, as well as DPD for P1. In my case, P1 was not even established and l still don't know why RUT was trying to establish VPN over IPv6.

l don't even understand how my DNS peer name was resolved to IPv6. Anyway, l hardcoded DNS on my WAN on RUT site to 1.1.1.1 and 8.8.8.8 and it seems to be resolved an issue. VPN is back and is using DNS name.

EDIT1: latest firmware is installed: RUT2XX_R_00.01.03.5 

EDIT2: Ok finally figured it out. My EdgeMAX after the recent firmware upgrade started responding to IPv6 DNS lookups. Below nslookup from another RUT500 with the same VPN peer (EdgeMAX):

DIsabling the IPv6 on EdgeMAX finally resolved an issue: