Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rajesh_s
Contributor

VPN Client disconnecting every 10 to 15 minutes

Hi All,

We are Running R77.30 and configured Remote access vpn, Client we are using E80.65.

I am able to connect to successful first time but after every 10 to 15 minutes disconnecting client and saying error "VPN tunnel has disconnected and failed   to renew the encryption keys.Any idea?.

“[11 Apr 18:07:54] IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys.”

”11 Apr 18:24:52] IKE connection failed, error code=-1000. Reason: Internal error: Cannot connect to gateway: Transport failed..”

0 Kudos
7 Replies
Dave_Cullen
Explorer

Sorry to revive an old thread, but did you find a solution?  I am also seeing this;

[17 Nov 21:06:33] IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys.

[17 Nov 21:06:33] Client state is connected

[17 Nov 21:06:33] Tunnel (3) disconnected. State is connected.  cancelling connection.

I have already followed: sk116432 to change:

  • fw ctl set int ipsec_use_p1_src_ip 1

 However the users ar still reporting disconnections to this specific gateway.  Others are fine....

Did you manage to fix this?

Thanks!

0 Kudos
Oren
Participant

Hi Dave,
Are you still there? 😊

Did you find a solution?
Thanks.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Have you looked at sk65331: Endpoint Connect disconnects after a short period of time with an error 'Failed to renew En...

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Oren
Participant

Hi Timothy,
Thanks for replying.

The sk65331 does not seem to meet my gateway.
My gateway is E80.30 and it is happening while using Windows (after 1hour) and Mac (after an hour and a half).
It is happening only on one of my clusters only and not on the other cluster.
R80.30 take 200 is the same on both of them.
The message after collecting logs from the client (helpdesk.log) says:
"IKE tunnel disconnected, error code=-1000. Reason: Failed to renew Encryption keys."

0 Kudos
Timothy_Hall
Legend Legend
Legend

It sounds like you are losing the IKE Phase 1 tunnel at some point, and when the IPSec/Phase 2 tunnel expires for the client (default timer for SA Lifetime is 60 minutes) they are getting kicked off because the new Phase 2 SA cannot be negotiated through the dead IKE/P1 tunnel.  Any chance that a policy reinstall happened less than 60 minutes prior to them getting disconnected?  If so try setting keep_IKE_SAs in the Global Properties. 

Beyond that you will need to run a debug on vpnd and catch this failure in the act to figure out what is going on in $FWDIR/log/vpnd.elg (or just engage TAC). See sk89940 - How to debug VPND daemon

Also your R77.30 version is very old and unsupported so TAC may not engage.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Oren
Participant

Hi Timothy,

Thank you so much for looking into this issue.
finally, the solution was to edit the file $FWDIR/boot/modules/fwkern.conf and add the line:
"natt_probe_do_in_kernel=0"
the solution was provided in another thread: "VPN Client disconnects after one hour"

Again, Thank you very much for taking your time and for the ideas you suggested to me.

Oren.

Timothy_Hall
Legend Legend
Legend

Interesting, thanks for the follow-up and sharing the solution.  Looks like that natt_probe_do_in_kernel variable takes the NAT-T probing function away from the vpnd daemon and implements in the kernel/fwk instead.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events