IPSec VPN Dropping

I’ve got a MAX Transit Duo set up to establish an IPSec site-to-site VPN. The VPN establishes just fine, and traffic will pass for hours. Over time (I haven’t observed a specific pattern yet) the IPSec tunnel will stop working. The rest of the device works fine - WiFi is still up, cellular links are up, outbound traffic from behind the device works.

Nothing I do seems to cause it to attempt to re-establish the IPSec tunnel. The “Status” shows “Connecting” with the spinning wheel, but the IPSec Event Log just shows that the tunnel disconnected. It doesn’t show any connection attempts or other activity. Monitoring inbound traffic at the VPN hub shows no traffic coming from the MAX.

If I edit the settings on the MAX and disable the VPN tunnel, apply settings, and then re-enable the VPN tunnel and apply settings, I immediately see the traffic hit the VPN hub and the tunnel comes back up. Until the next time it happens.

I do not believe this is an issue on the VPN hub (other tunnels stay up when this occurs, and no attempts are even seen hitting the hub) or anything relating to the cellular connectivity – since simply disabling/re-enabling the tunnel will cause it to come back up, I do not believe it’s related to the cellular links. They stay established all the time. I have tried two carriers as the primary link in case that was the issue, but it does not appear to make any difference. It seems like the IPSec process on the MAX just needs to be “kicked” to wake up again.

Any ideas?

I think I am seeing the same behavior on a Balance 305 running the 8.0.2 firmware - were you ever able to figure anything out? Ours seems to get in this state after exactly 16 hours.

I “fixed” it by reverting the P1 SA lifetime and P2 SA lifetime values to the Peplink defaults and then configuring the other side to match. They were set identically before, so I don’t know why this made a difference, but the tunnel remained stable for a couple of months after that. Since then I’ve replaced the far end with a Peplink router and it has been rock solid.

I believe there are just some inconsistencies/incompatibilities in the IPSec implementation and it does not appear to play nicely with non-default key lifetime values.

The annoying part was that it would not try to re-establish the tunnel on its own. It required manual intervention every time – which was a problem since this particular setup is used for out-of-band access to remote equipment.

2 Likes

I have random VPN routing issues as well. Example network has a B1-Core and a B210. Routers have addresses 192.168.100.1 and 192.168.101.1 respectively. Devices on 192.168.101.1/24 can hit 192.168.100.1/32, but not further into /24. Same is true vice versa. The correct /24 routes are being advertised across the tunnel. No amount of tinkering with settings would fix it. Only a reboot of the B1-Core would solve it. Remote users using OpenVPN also can’t route traffic when this happens.

Instead of rebooting, can you try to Disable the VPN tunnel, Apply Settings, and then re-enable VPN tunnel, Apply Settings? That worked in lieu of rebooting in my case… just curious if you’re seeing the same issue.

Are you running any non-default values for key lifetimes?