cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

VPN Session timeout

Hello CM!

I have strange behavior which happens unexpectedly. Some users connect to R80.10 Gateway with LoadSharing Multicast with VPN client with re-authnticate options setting on 24h but disconnected  after 2 minutes with reason "session timeout". 

Can anyone give a tip, where find 120 sec timeout setting or mb something else? 

7 Replies
Admin
Admin

Re: VPN Session timeout

0 Kudos

Re: VPN Session timeout

I saw this SK, but I think it a little different

Antispoof is set to detect only

I increased Maximum concurrent IKE neg, but it does not work

There is no such problem when ClusterXL was in  HA mode

0 Kudos

Re: VPN Session timeout

I found these lines in trac.log on client:

...

[ 97 771][15 Nov 12:47:26][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:26][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18005.
[ 97 771][15 Nov 12:47:26][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x

...

[ 97 771][15 Nov 12:47:26][tunnel] [INFO] [IkeTunnel::ReceivedEsp] (0x0x6579d20): Received Esp Packet from gw 10.x.x.x .Must be tunnel test packet
[ 97 771][15 Nov 12:47:26][tunnel] IPsecTunnel::ReceiveTunnelTestPkt: started
[ 97 771][15 Nov 12:47:26][tunnel] IPsecTunnel::ReceiveTunnelTestPkt: Received tunnel test reply
[ 97 771][15 Nov 12:47:26][tunnel] [INFO] [IkeTunnel::ReceivedEsp] (0x0x6579d20): Tunnel state is connected

...

[ 97 771][15 Nov 12:47:28][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] receive reply from the gw. Descheduling TunnelTestTimeout and scheduling CheckDGDTimeStamp again

...

[ 97 771][15 Nov 12:47:28][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] timeout is not reached yet. Scheduling next DGD query in 17977 ms.

...

[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::CheckDGDTimeStamp(s)] __start__
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] tunnel 0x0x6579d20
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::CheckDGDTimeStamp: current timestamp = I64d and DGD timestamp = I64d
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::CheckDGDTimeStamp(s)] timeout reached. Scheduling tunnel test every 2000 ms until 20000.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::CheckDGDTimeStamp(s)] __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::SendTunnelTestPkt(s)] __start__
[ 97 771][15 Nov 12:47:46][tunnel] [INFO] [IkeTunnel::SendTunnelTestPkt(s)] tunnel 0x0x6579d20
[ 97 771][15 Nov 12:47:46][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18006.
[ 97 771][15 Nov 12:47:46][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x.
[ 97 771][15 Nov 12:47:46][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __start__
[ 97 771][15 Nov 12:47:46][tunnel] IPsecTunnel::SendPacket: sending esp packet

...

[ 97 771][15 Nov 12:47:48][tunnel] [WARNING] [IkeTunnel::SendTunnelTestPkt(s)] no reply from the gw. Sending tunnel test pakcet
[ 97 771][15 Nov 12:47:48][tunnel] IkeTunnel::SendTunnelTestPktImpl: using sport 18007.
[ 97 771][15 Nov 12:47:48][tunnel] IkeTunnel::SendTunnelTestPktImpl: sending tunnel test packet from 172.30.100.102 to 10.x.x.x.
[ 97 771][15 Nov 12:47:48][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __start__
[ 97 771][15 Nov 12:47:48][tunnel] IPsecTunnel::SendPacket: sending esp packet

...

x10 times

...

[ 97 771][15 Nov 12:48:04][tunnel] [COVERAGE] [IkeTunnel::SendPacket] (0x0x6579d20): __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:48:04][tunnel] [COVERAGE] [IkeTunnel::SendTunnelTestPkt(s)] __end__ Total:0 milliseconds.
[ 97 771][15 Nov 12:48:06][tunnel] IkeTunnel::TunnelTestTimeout: stop sending tunnel tests packets. deschedule SendTunnelTestPkt
[ 97 771][15 Nov 12:48:06][tunnel] IkeTunnel::TunnelTestTimeout:Tunnel is disconnected !!!!

0 Kudos

Re: VPN Session timeout

ok, all day I tried to fix this issue and and that's what I discovered:

when I switched off Implied rules "Accept Control Connections" and write my own rule for tunnel_test port everything works fine. But when I turn everything back - "sessions timeouts" returned

0 Kudos

Re: VPN Session timeout

commented /* #define ENABLE_TUNNEL_TEST */ in implied_rules.def and added explicit rule in policy

We'll see what it makes

0 Kudos

Re: VPN Session timeout

Nah, does not work(

0 Kudos
Admin
Admin

Re: VPN Session timeout

I recommed getting the TAC involved

0 Kudos