1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

BEFSX41 to RV082 VPN keeps dropping

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by guido331, Apr 30, 2006.

  1. guido331

    guido331 Network Guru Member

    Hi all,

    I used to have a VPN setup between two BEFSX41s that connected two sites and it worked like a champ. I have replaced one of the BEFSX41 units with an RV082 so I could take advantage of the more advanced firewall but I've noticed the VPN drops after about an hour. Here's the setup:

    Both routers are on RoadRunner cable.
    The RV082 is at the main site with a static IP address.
    The BEFSX41 is a remote office with a dynamic IP, registered with DynDNS.
    Both routers are using the latest firmware for each from the Linksys website.

    Is this a known issue? Does anybody have any suggestions on how to troubleshoot or fix this? I really like the RV082 and I'd really rather not return it and go back to the BEFSX41.
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    As a minor suggestion, make sure your key lifetime settings are the same on both sides, to include using the "subnet" option on both routers for "local secure group."

    Doc
     
  3. guido331

    guido331 Network Guru Member

    The key lifetime is set to 3600 on both routers. I'm also using the subnet option for local secure group on both routers.

    I called Linksys tech support and they suggested the following:

    1. Change MTU on RV082 to 1458
    2. Change MTU on BEFSX41 to 1458
    3. Downgrade BEFSX41 firmware to 1.50.9
    4. Disable"Block WAN Request" on BEFSX41
    5. Disable"Block WAN Request" on RV082

    I'm currently on step 4 right now and waiting to see if it works. The connection was up all evening yesterday but when I checked it this morning the remote BEFSX41 seems to have locked up. I can no longer get to the web interface on it at all but the computers at that site still have internet access. I'm waiting for one of them to get in the office so I can walk them through resetting the BEFSX41.
     
  4. d__l

    d__l Network Guru Member

    What firmware were you using on the SX41s prior to changing to an RV082? Have you tried firmware 1.45.7 on the SX41?
     
  5. guido331

    guido331 Network Guru Member

    When we first got both SX41s they were using a 1.4x firmware (don't remember the exact version). They were both since upgraded to 1.52.9and have been up and running with no problems for quite a while.

    I'm afraid if I downgrade from 1.52.9 to 1.45.7 the SX41 will lose all its settings which will require a trip to that site to set it all back up again. Does anybody know if that's the case?
     
  6. d__l

    d__l Network Guru Member

    Actually it may not lose it settings, and that would be bad! When you flash an SX41, you really want to do a reset to factory defaults before flashing, especially when downgrading firmware.

    The long reset before a flash seems to be effective in avoiding a bricked router.

    The fact that your key lifetime is set to 3600 and the VPN tunnel seems drop after an hour suggests to me that the routers are fumbling the tunnel re-build for some reason. Do you have the Keep-Alive check box enabled on the SX41 in the Advanced VPN settings? Is there an equivalent setting on the RV082 that should be checked?
     
  7. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Yeah..downgrades in firmware versions will usually lose the settings. Upgrades in firmware will usually keep the settings.."migrating" them. Unless the difference in the new version is quite a few versions ahead (IE...you're upgrading really REALLY old firmware to the latest).

    The latest 1.3.2 firmware for the RV082 has a feature which does a better job of maintaining a live tunnel...and restablishing it quickly if the tunnel gets dropped.
     
  8. guido331

    guido331 Network Guru Member

    After getting someone at the remote site to reboot the SX41 the tunnel has been up all day with both routers on the latest firmware (RV082=1.3.2, BEFSX41=1.52.9). I'm still monitoring them however.

    I was also under the impression the RV082 could reestablish a VPN connection if dropped but doesn't the SX41 have to be configured to accept inbound VPNs? Currently the RV082 is at the main office and the SX41 dials into there, not the other way around. I do have the keep-alive option enabled on both routers also.
     
  9. guido331

    guido331 Network Guru Member

    No joy... the connection dropped again.

    I've noticed when the connection drops and will not reconnect I see the following repeated over and over in the VPN log on the SX41:

    2006-05-01 15:46:25
    2006-05-01 15:46:25 IKE[1] Tx >> MM_I1 : x.x.x.x SA
    2006-05-01 15:46:26
    2006-05-01 15:46:26 IKE[1] Tx >> MM_I1 : x.x.x.x SA
    2006-05-01 15:46:29
    2006-05-01 15:46:29 IKE[1] Tx >> MM_I1 : x.x.x.x SA
    2006-05-01 15:46:33
    2006-05-01 15:46:33 IKE[1] Tx >> MM_I1 : x.x.x.x SA
    2006-05-01 15:46:40
    2006-05-01 15:46:40 IKE[1] Tx >> MM_I1 : x.x.x.x SA

    I see the following in the VPN log on the RV082:

    May 1 15:50:01 2006 VPN Log No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting
    May 1 15:50:01 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    May 1 15:49:59 2006 VPN Log No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting
    May 1 15:49:59 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet
    May 1 15:49:49 2006 VPN Log No acceptable Oakley Transform, No Proposal chosen. Please check your SA or preshared key setting
    May 1 15:49:49 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Main Mode 1st packet

    The only way I have seen to fix this condition is to change the encryption from 3DES or SHA to something else, apply the settings, and then set them back to the original settings.
     
  10. JayUSA123

    JayUSA123 Guest

    Not sure if you've discovered a fix or not yet...

    but my VPN (between a BEFSX41 and SonicWall Pro1260) was exhibiting the same behavior as you noted in your last post.

    The issue seemed to revolve around the BEFSX41 not responding to subsequent IPSec requests after the initial Connection was lost (after the key lifetime was up.)

    Setting "Block Anonymous Internet Requests" to Disable on the Security > Firewall page has alleviated our symptoms. For testing purposes, I set the key lifetime to 120 seconds (the smallest I could make it on my SonicWall) and observed the logs. Sure enough, every two seconds, the connection is renegotiated and successfully reestablishes the connection, where before, it would break the connection and simply repeat "IKE[1] Tx >> MM_I1 : x.x.x.x SA" in the BEFSX41 VPN log)

    Hope this helps if you're still looking for a solution!
     

Share This Page