D-Link Forums
The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: tylan on September 16, 2009, 06:35:36 AM
-
I have 2 DFL-210 Routers connected with a L2L tunnel. I followed the documents on the Dlink FAQs. The networks are 192.168.0.x and 192.168.100.x. The users on the 192.168.100.x network connected via remote desktop to a server on the 192.168.0.x network. They claim that the get kicked off daily. Then they are able to get back on almost immediately. I checked and the router has not been rebooted / shutdown recently. I think that they are getting kicked off when the tunnels re-negotiate. I sent the configs to dlink a few months back when they initially complained. Dlink found nothing wrong. Can I up the time the tunnels go w/o re-negotiating? Is there anything else I can check?
Any ideas?
Tylan
-
I may have phrased my post in a complicated paragraph...
Here's what I'm really looking for:
1) When a L2L tunnel renegotiates daily, would the connections through the tunnel be interrupted?
2) Can I up the time a tunnel stays alive so that this issue could be avoided?
Thanks in advance!
Tylan
-
Sessions ideally should not be dropped when renigotiations happens, assuming it goes through without a hitch.
What are your timeouts?
Do you have a data based timeout?
Do you use a keep alive?
Do you use DPD?
-
--IKE Lifetime 28800
--IPSEC Lifetime 3600
--Keep-alive set to auto
I'm not sure what you mean by DPD or data based timeout... Sorry.
Here is the doc I used to configure the tunnels:
http://www.dlink.com/support/faqDetail/?prod_id=2783&print=1
Thanks for your reply,
Tylan
-
DPD Is a setting on the IKE tab.
Data based timeout referred to an IPsec lifetime based on a number of kilobytes.
I believe this document will be revised in the near future, if followed perfectly it could cause some problems. Specifically you are going to have 2 routing entries for the same tunnel which could be causing your problem.
Uncheck the box that says Dynamically add route to the remote network when a tunnel is established.
-
--DPD is checked.
--The IPSEC lifetime is set to 0 kilobytes.
I don't see any duplicate routes in the routing table. Are you referring to a duplicate route that doesn't actually show in the tables. I'd post a screenshot, but I'm not sure how to do it.
-
Eureka!
DPD (Dead Peer Detection) is the mortal enemy of Keep Alive, using both at once is a problem of sizeable scale. Since you don't want your tunnel going down ever remove DPD.
You would see it in Status->Routes, but only while the tunnel is up. A better place to check would be if you have both that check box, and the automatically add route box on the advanced tab checked.
As this is a L2L installation you should have the one on the advanced tab only and not the one on the routing tab.
-
I see what you are talking about now. There are two settings about adding the route. I cleared the dynamic add route box on the routing tab, and left the one on the advanced tab checked. I also cleared the dead peer detection box.
Anything else I should check, or just sit back and wait for the customer to NOT complain about the tunnel dropping!
Thanks
-
Well lets hope it is sitting back and waiting for the customer to not complain.
-
Then I'll inform them that I've adjusted some settings on the L2L Tunnel and we'll see what happens.
Thanks,
Tylan