Good afternoon all,

I recently got a dual VPN going on my Draytek router (see my previous post) but I'm now getting problems with continual dropping of both VPNs every 30 minutes or so.

Both VPNs are dial-out and I have them 'Always on'. There shouldn't be service issues at the destination server end. I should add that it doesn't seem to affect me in terms of my use of the VPNs, but it's just annoying and I'd like to understand why its happening.

I've copied an extract of the syslog below which just repeats as a block when each VPN goes down.

I would appreciate it if anyone has any ideas as to where I might fix this in the router config please?

---

VPN Syslog extract.
NOTE:
I've removed the VPN IP address for privacy and replaced it as (**VPN1.IP.ADDRESS**). I've also changed the profile name to VPN1.

"2016-04-04 13:13:20", "DPD timeout...ifno=11, timeouts:1"

"2016-04-04 13:16:01", "Start IKE Quick Mode to '(**VPN1.IP.ADDRESS**)"
"2016-04-04 13:16:01", "Client L2L remote network setting is '(**VPN1.IP.ADDRESS**)/24"
"2016-04-04 13:16:01", "IPsec SA #469 will be replaced after 2925 seconds"
"2016-04-04 13:16:01", "sent QI2, IPsec SA established with '(**VPN1.IP.ADDRESS**) In/Out Index: 0/-1"
"2016-04-04 13:16:25", "DPD timeout...ifno=10, timeouts:1"
"2016-04-04 13:16:42", "PPP Drop VPN : L2L Dial-out, Profile index = 1, Name = VPN1, ifno = 10"
"2016-04-04 13:16:42", "[L2L][DOWN][L2TP/IPSec][@1:VPN1]"
"2016-04-04 13:16:42", "IsVirtualInterfaceIdle[10] IDLE, but state NOT IDLE, waiting to destroy ??? 0_4_0_0_0_0"
"2016-04-04 13:16:42", "DropThisTunnelFromIfno: 10 in IsVirtualInterfaceIdle."
"2016-04-04 13:16:43", "Initiating IKE Main Mode to '(**VPN1.IP.ADDRESS**)"
"2016-04-04 13:16:43", "NAT-Traversal: Using RFC 3947, no NAT detected"
"2016-04-04 13:16:43", "ISAKMP SA #470 will be replaced after 21572 seconds"
"2016-04-04 13:16:43", "ISAKMP SA established with '(**VPN1.IP.ADDRESS**) In/Out Index: 0/-1"
"2016-04-04 13:16:43", "Start IKE Quick Mode to '(**VPN1.IP.ADDRESS**)'"
"2016-04-04 13:16:43", "Client L2L remote network setting is '(**VPN1.IP.ADDRESS**)/24"
"2016-04-04 13:16:43", "IPsec SA #471 will be replaced after 2963 seconds"
"2016-04-04 13:16:43", "sent QI2, IPsec SA established with '(**VPN1.IP.ADDRESS**) In/Out Index: 0/-1"
"2016-04-04 13:16:48", "[VPN Trunk] Stop VPN backup tunnel: 10"
"2016-04-04 13:16:48", "[L2L][UP][L2TP/IPSec][@1:VPN1]"

2016-04-04 13:16:25", "DPD timeout...ifno=10, timeouts:1"

Might be a DPD (Dead Peer Detection) timeout causing it to drop? Similar to ping detect, VPN devices can use DPD to exchange a regular 'are you there?' message across the VPN to check that it's still alive. If no replies are received then the router will consider the VPN down and will drop it and try to re-establish the link. Is there any packet loss across the VPN ?

Have you set your MY WAN IP and REMOTE GATEWAY IP to something other than 0.0.0.0? If so, might be worth seeing how things go if you just leave them as 0.0.0.0 . With it left as 0.0.0.0, as I understand it, the router will then decide the best settings for these.

Hello Macavity,

MY WAN IP and REMOTE GATEWAY IP are already set to 0.0.0.0.

I thought the DPD might be causing this but the 2830n has no ability (i don't think) to configure this.

Heres an extract from Draytek:

All Vigor VPN Routers support IPsec DPD feature. Vigor2960 and Vigor3900 series support changing the Delay and Timeout Settings via Advanced tab in IPsec profiles. While other Vigor VPN Routers have DPD turned on by default and cannot turn it off nor change the parameters. For these Vigor VPN Router, when DPD is negotiated to be used over a IPsec tunnel, Vigor will send DPD packets every 15 seconds when detecting no traffic over the IPsec tunnel. If peer doesn't respond to the DPD packet for two times, it will disconnect the IPsec tunnel.

I unchecked the Enable IPSEC Ping because the dropouts were every couple of minutes (as suggested on the Draytek support pages).

I'm now getting exactly 50mins/3000seconds between each disconnect.

The VPN server is a commercial VPN provider so it may well be that it was OK being pinged, but doesn't like the Draytek DPD?

I haven't noticed any packet loss but I'm not really a heavy throughput user. I use them for personal convenience for general web activity and video - so the VPNs just tick over much of the time.

Regards

DPD can't be disabled on the 2830. A possibility is that it might be a symptom rather than the cause. The reason DPD exists is because IPSEC doesn't have link control like you get on PPP connections so VPNs could in theory go stale without one end noticing. What could be happening is the VPN is being terminated at the far end (for some unknown reason reason) and the first thing the router notices is because DPD replies stop coming.

If you'd said that disconnections were every 3600 seconds, then IPSEC Phase 1 or Phase 2 re-negotiation would be the prime suspect as 3600 sec is a very common lifetime setting. It's still likely that it is something relating to re-negotiation.

Check to see if the VPN provider require Perfect Forward Secret (PFS) and look at the advance button in the VPN profile where you can set some of the phase 1,2 settings. Might also be worth checking to see what DH Group they prefer, you'll see the choice on the DrayTek in the advance button. (If you play with the settings, keep it on Main Mode, don't use aggressive mode. You won't need to set the Local ID either as that's just for aggressive mode)

Macavity,

Do you know what settings these log items refer to? It occurs during the VPN reconnect process.

For VPN1:
2016-04-05 12:52:25 sent QI2, IPsec SA established with (**VPN1.IP.Address.**). In/Out Index: 0/-2
2016-04-05 12:52:25 IPsec SA #151 will be replaced after 2996 seconds

and VPN2:
2016-04-05 12:52:27 sent QI2, IPsec SA established with (**VPN2.IP.Address.**). In/Out Index: 0/-1
2016-04-05 12:52:27 IPsec SA #152 will be replaced after 2996 seconds

Is this the SA policy offered by the VPN server (IPsec SA #151 will be replaced after 2996 seconds) which is why I can't see this config setting?

This happens for both VPNs and exactly matches with the 50min/3000sec drop time I was seeing (rather than my configured time for the IKE phase 2 key lifetime of 3600sec).

But if thats the case, why doesn't the SA just get renewed/reset by the router every 3000sec rather than the VPN dropped and restarted anew?

I should, of course, say that I'm learning about this as I go along so I may have totally misunderstood everything.

Regards

I'd guess the other end wants the SA lifetime to be 3000 seconds. The DrayTek would be proposing 3600 but it looks like the other end wants 3000.

why doesn't the SA just get renewed/reset by the router every 3000sec rather than the VPN dropped and restarted anew?

It should do. My understanding was that the Draytek should then just use 3000.

What happens if you try setting the Phase 2 to 3000 seconds on the DrayTek ?