IPSEC behind Peplink fails to recover after circuit failure and failback


#1

Running 5.4.9. I have this issue with 310 hw1,hw2,hw3, 380s and 580s. I can not use speedfusion as there is only one Peplink in play. Have seen this issue at several customers.

Drop In Mode with Cisco, Fortinet, Sonicwall or Watchguard behind the Peplink. IPSEC tunnel created on Firewall to some remote location. So IPSEC must pass through the Peplink. This works. Tunnel comes up. Traffic flows both ways. Everything is great until the Drop In Mode circuit fails and traffic starts to flow on the backup circuit. Yes I know the tunnel will be down at this point in time because it is IPSEC. However when the Drop In Mode circuit fails back everything should come back up.

The problem is the Drop In Mode IPSEC will not come back up after a failover/failback occurs.

I have worked with support on this several times and get conflicting information and no working solution. Here is what we have tried without success.

Enable IPSEC NAT-T pass though point to the drop in mode circuit. did not help.

Disable IPSEC NAT-T pass through and create outbound policies: did not help.
IP:50 enforce to drop in mode circuit
UDP:500 enforce to drop in mode circuit
UDP:4500 enforce to drop in mode circuit

Disable IPSEC NAT-T pass through and create outbound policies: did not help.
ANY traffic to remote firewall enforce to drop in mode circuit

Current solution: Reboot Peplink works every time.

Anyone else having IPSEC go down when a failover/failback occurs and never having the tunnel recover?

Troy


#2

Can you create the support ticket here with Diagnostic Report with firmware 5.4.9.

You mentioned that the Drop-in circuit fails. It is about WAN health check detected the WAN failed or physical unplug the cable?


#3

WAN health check fails on the Drop in circuit. Then when the WAN health check recovers the Drop in circuit comes up but the IPSEC tunnel on the firewall will not recover.

I forgot to mention one important point. The problem is that we enforce the IPSEC to drop-in mode circuit. If that worked we would be good. But even with all the enforced rules during and after a failover we will find IPSEC traffic on the backup circuit.

To bring back the tunnel we can reboot the peplink or put in a firewall rule to block outbound UDP 4500, UDP 500, IP 50. Leave that in place for a few minutes so the current outbound session on the backup circuit expires. Then remove the firewall rules and the IPSEC traffic will go out the Drop in mode circuit and the IPSEC firewall tunnel will connect.

So the problem is “Why does IPSEC traffic go to the backup when it is enforced multiple ways to stay on the Drop in mode circuit.”

Next time I see the issue I will collect a diagnostics report and open a ticket.

Troy


#4

Hi Troy

I got the same issue like yours.
What I did: Enforced all remote Peer IP addresses onto the primary link.

It’s the nature of IPsec traffic, it cannot be link balance. When the traffic returns from the backup link, could be due to the Peplink mapping, the local firewall sees it as another IP address.

Hope this helps.

Rgds
Anton