Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Newsfile]

Greetings all,

I've got two D-Link routers: a DFL-800 and a DFL-210. They form a LAN-to-LAN IPSEC tunnel that link our two offices across the country.

It seems that every month or so, the link is severed and not reestablished. This is curious because both routers are set to automatic Keep-Alive. When the problem occurs, one router will have an active SA in the IPSec Status section, while the other will not. The only way I've found to correct the problem is to restart the until that claims to have an active SA. Then the VPN is automatically reestablished and all is right again.

Due to the time difference, this occassioanlly happens when I am asleep and unable to correct the problem, causing members of one office to be unable to access resources of the other. So while the problem is infrequent, it's critical for me to correct.

I've re-examined both devices' IPSEC settings, and found that they were identical except for two items. a) Only one router had "Dead Peer Detection" turned on. I've now made sure both units have this item checked. b) There was a slight discrepancy between the packet sizes in the "Routing" tab, where one was set to "1424" and the other "1420". Both have now been set to 1424.

If anyone has any suggestions of things I could adjust to make sure the link is reestablished automatically any time it becomes disconnected, I'm all ears.

DFL 210 - firmware v 2.20.01
DFL 800 - firmware v 2.26.00

Thanks.

[danilovav]

First, try to upgrade DFL-210 up to 2.26 - this f/w is more stable and usefull.
And, if quick re-establishing is so important, you can write small script - try to ping remote DFL (via IPsec) - is unsuccessful, run killsa (you can use killsa <ip address> for static remote endpoint or killsa -all to delete all SAs). But, of cource, you will need always working PC to run this script. But if you have any servers, i think it will not so problem.

[Fatman]

Also, you don't want DPD, turn it off.

[Newsfile]

Fatman: Could you elaborate on why I don't want Dead Peer Detection?

My understanding of this feature is that it automatically reclaims resources used by the Security Association when the connection is deemed to be dead. The router that claimed to have an active SA when none existed is also the one which had DPD turned off.

It stands to reason that DPD (or lack thereof) may be the cause of the undesirable behaviour. I would like to consider this carefully before I make a configuration adjustment one way or the other.

danilovav: I'll endeavour to upgrade the 210 to the latest firmware ASAP. When it's functioning properly, the tunnel comes up automatically when remote resources are requested by the users, so scripts are probably not necessary in this case.

[Fatman]

DPD will drop a SA after a activity timeout, it is the exact opposite of keep alive which works to keep that tunnel open.

For a site to site tunnel the cost of keeping that tunnel open (in CPU and bandwidth) is worth not having the latency (and possible drops for latency sensitive applications) of re-establishing the tunnel.

One more thing!  DPD mismatch will always cause issues whether you end up using it or not.

*** Modified by Fatman who always has "One more thing!"

[Newsfile]

That's extremely helpful. Thanks for the info!