topic Re: VPN Client disconnecting every 10 to 15 minutes in SASE and Remote Access

VPN Client disconnecting every 10 to 15 minutes

rajesh_s — Thu, 12 Apr 2018 10:48:36 GMT

Hi All,

We are Running R77.30 and configured Remote access vpn, Client we are using E80.65.

I am able to connect to successful first time but after every 10 to 15 minutes disconnecting client and saying error "VPN tunnel has disconnected and failed to renew the encryption keys.Any idea?.

“[11 Apr 18:07:54] IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys.”

”11 Apr 18:24:52] IKE connection failed, error code=-1000. Reason: Internal error: Cannot connect to gateway: Transport failed..”

Re: VPN Client disconnecting every 10 to 15 minutes

Dave_Cullen — Sun, 18 Nov 2018 10:02:16 GMT

Sorry to revive an old thread, but did you find a solution? I am also seeing this;

[17 Nov 21:06:33] IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys.

[17 Nov 21:06:33] Client state is connected

[17 Nov 21:06:33] Tunnel (3) disconnected. State is connected. cancelling connection.

I have already followed: sk116432 to change:

fw ctl set int ipsec_use_p1_src_ip 1

However the users ar still reporting disconnections to this specific gateway. Others are fine....

Did you manage to fix this?

Thanks!

Re: VPN Client disconnecting every 10 to 15 minutes

Oren — Tue, 25 May 2021 19:36:23 GMT

Hi Dave,
Are you still there? 😊

Did you find a solution?
Thanks.

Re: VPN Client disconnecting every 10 to 15 minutes

Timothy_Hall — Wed, 26 May 2021 13:00:47 GMT

Have you looked at sk65331: Endpoint Connect disconnects after a short period of time with an error 'Failed to renew Encryption keys'

Re: VPN Client disconnecting every 10 to 15 minutes

Oren — Wed, 26 May 2021 13:32:41 GMT

Hi Timothy,
Thanks for replying.

The sk65331 does not seem to meet my gateway.
My gateway is E80.30 and it is happening while using Windows (after 1hour) and Mac (after an hour and a half).
It is happening only on one of my clusters only and not on the other cluster.
R80.30 take 200 is the same on both of them.
The message after collecting logs from the client (helpdesk.log) says:
"IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys."

Re: VPN Client disconnecting every 10 to 15 minutes

Timothy_Hall — Wed, 26 May 2021 19:14:18 GMT

It sounds like you are losing the IKE Phase 1 tunnel at some point, and when the IPSec/Phase 2 tunnel expires for the client (default timer for SA Lifetime is 60 minutes) they are getting kicked off because the new Phase 2 SA cannot be negotiated through the dead IKE/P1 tunnel. Any chance that a policy reinstall happened less than 60 minutes prior to them getting disconnected? If so try setting keep_IKE_SAs in the Global Properties.

Beyond that you will need to run a debug on vpnd and catch this failure in the act to figure out what is going on in $FWDIR/log/vpnd.elg (or just engage TAC). See sk89940 - How to debug VPND daemon

Also your R77.30 version is very old and unsupported so TAC may not engage.

Re: VPN Client disconnecting every 10 to 15 minutes

Oren — Thu, 27 May 2021 12:56:51 GMT

Hi Timothy,

Thank you so much for looking into this issue.
finally, the solution was to edit the file $FWDIR/boot/modules/fwkern.conf and add the line:
"natt_probe_do_in_kernel=0"
the solution was provided in another thread: "VPN Client disconnects after one hour"

Again, Thank you very much for taking your time and for the ideas you suggested to me.

Oren.

Re: VPN Client disconnecting every 10 to 15 minutes

Timothy_Hall — Thu, 27 May 2021 13:07:36 GMT

Interesting, thanks for the follow-up and sharing the solution. Looks like that natt_probe_do_in_kernel variable takes the NAT-T probing function away from the vpnd daemon and implements in the kernel/fwk instead.