VPN Session timeout

Anton_Kazantsev — Wed, 14 Nov 2018 18:32:34 GMT

Hello CM!

I have strange behavior which happens unexpectedly. Some users connect to R80.10 Gateway with LoadSharing Multicast with VPN client with re-authnticate options setting on 24h but disconnected after 2 minutes with reason "session timeout".

Can anyone give a tip, where find 120 sec timeout setting or mb something else?

Re: VPN Session timeout

Anton_Kazantsev — Thu, 15 Nov 2018 06:19:17 GMT

I saw this SK, but I think it a little different

Antispoof is set to detect only

I increased Maximum concurrent IKE neg, but it does not work

There is no such problem when ClusterXL was in HA mode

Re: VPN Session timeout

Anton_Kazantsev — Thu, 15 Nov 2018 08:17:48 GMT

I found these lines in trac.log on client:

...

[ 97 771][15 Nov 12:47:26][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:26][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18005.
[ 97 771][15 Nov 12:47:26][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x

...

[ 97 771][15 Nov 12:47:26][tunnel] [INFO] [IkeTunnel::ReceivedEsp] (0x0x6579d20): Received Esp Packet from gw 10.x.x.x .Must be tunnel test packet
[ 97 771][15 Nov 12:47:26][tunnel] IPsecTunnel::ReceiveTunnelTestPkt: started
[ 97 771][15 Nov 12:47:26][tunnel] IPsecTunnel::ReceiveTunnelTestPkt: Received tunnel test reply
[ 97 771][15 Nov 12:47:26][tunnel] [INFO] [IkeTunnel::ReceivedEsp] (0x0x6579d20): Tunnel state is connected

...

[ 97 771][15 Nov 12:47:28][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] receive reply from the gw. Descheduling TunnelTestTimeout and scheduling CheckDGDTimeStamp again

...

[ 97 771][15 Nov 12:47:28][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] timeout is not reached yet. Scheduling next DGD query in 17977 ms.

...

[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::CheckDGDTimeStamp(s)] __start__
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] tunnel 0x0x6579d20
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::CheckDGDTimeStamp: current timestamp = I64d and DGD timestamp = I64d
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] timeout reached. Scheduling tunnel test every 2000 ms until 20000.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::CheckDGDTimeStamp(s)] __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::SendTunnelTestPkt(s)] __start__
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::SendTunnelTestPkt(s)] tunnel 0x0x6579d20
[ 97 771][15 Nov 12:47:46][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18006.
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __start__
[ 97 771][15 Nov 12:47:46][tunnel] IPsecTunnel::SendPacket: sending esp packet

...

[ 97 771][15 Nov 12:47:48][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:48][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18007.
[ 97 771][15 Nov 12:47:48][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x.
[ 97 771][15 Nov 12:47:48][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __start__
[ 97 771][15 Nov 12:47:48][tunnel] IPsecTunnel::SendPacket: sending esp packet

...

x10 times

...

[ 97 771][15 Nov 12:48:04][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:48:04][tunnel] [COVERAGE] [IkeTunnel::SendTunnelTestPkt(s)] __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:48:06][tunnel] IkeTunnel::TunnelTestTimeout: stop sending tunnel tests packets. deschedule SendTunnelTestPkt
[ 97 771][15 Nov 12:48:06][tunnel] IkeTunnel::TunnelTestTimeout:Tunnel is disconnected !!!!

Re: VPN Session timeout

Anton_Kazantsev — Thu, 15 Nov 2018 11:35:14 GMT

ok, all day I tried to fix this issue and and that's what I discovered:

when I switched off Implied rules "Accept Control Connections" and write my own rule for tunnel_test port everything works fine. But when I turn everything back - "sessions timeouts" returned

Re: VPN Session timeout

Anton_Kazantsev — Thu, 15 Nov 2018 12:02:19 GMT

commented /* #define ENABLE_TUNNEL_TEST */ in implied_rules.def and added explicit rule in policy

We'll see what it makes

Re: VPN Session timeout

Anton_Kazantsev — Thu, 15 Nov 2018 18:21:15 GMT

Nah, does not work(

Re: VPN Session timeout

PhoneBoy — Thu, 15 Nov 2018 19:04:29 GMT

I recommed getting the TAC involved

topic Re: VPN Session timeout in SASE and Remote Access

VPN Session timeout

Re: VPN Session timeout

Re: VPN Session timeout

Re: VPN Session timeout

Re: VPN Session timeout

Re: VPN Session timeout

Re: VPN Session timeout

Re: VPN Session timeout