Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 1 subscriber
  • Views 14083 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatic Site-to-Site VPN service restart possible?

ipigi
Hello everyone,

Here is my predicament. 

I use Astaro to connect to the office via a Site-to-Site VPN. The problem is that the internet connection is reset on a daily basis causing the VPN link to go down. If I simply turn the S2S link off and on again, the VPN becomes online again.

The daily internet connection resets are necessary to keep DSL speeds at acceptable levels. The downtime is about 5 minutes while the DSL modem gets a synchro and reconnects.

Is there any way to automate this process via the crontab? I could have the entire Astaro reboot, but that seems wasteful.


This thread was automatically locked due to age.
  • 0
    I don't understand why IPsec doesn't reconnect when the Astaro is back online.  Please show pictures of your 'IPsec Connection' and 'Remote Gateway' definitions.  On the 'Advanced' tab, is dead-peer detection checked?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello Bob,

    Thank you for taking time to look into this.

    Yes dead-peer detections is enabled under the advanced tab.

    I've tried restarting Astaro but that does not seem to be effective. 

    I've included the requested info, I did black out some information, but nothing that should be critical for troubleshooting.

    If this helps at all, the internet connection is reset on the remote side and not on the local side. The remote Gateway is a Cisco ASA 5505. The connection works flawlessly otherwise.
  • 0
    Anyone can help out here? I'm curious about this too. I don't have the same situation exactly, but I do have a site-to-site IPSec VPN and yesterday one of our clients called us to say it was down. I looked and yup, so I didn't see anything that I could do except disable and enable that tunnel and it was up. WTF? I didn't see anything in the logs at all indicating a failure of any kind. It's like it just..  went to lunch.

    Is it by chance related to IKE and IPSec SA lifetime settings?
  • 0 in reply to coewar
    I have a similar problem, too.

    Internet connection is not created by Astaro but a HP router (Astaro is NATed).
    Our connection is dropped once a day by our provider, after that we have problems with some VPN connections.
    Most times these VPN connections are even still showed green and running, but no data transfer is possible until I restart the connection.

    So if I could trigger automatic restart of single connections or full IPSec-VPN I could get rid of restarting manually.

    Ciao, Alfred

    PS: Yes, dead-peer-detection is on, this still happens with Astaro 8.305
  • 0
    In ipigi's pictures, it appears that he needs to select 'Support path MTU discovery'.

    What happens if you select that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I have a customer fighting this issue now with Site to Site tunnels to Cisco devices... problem started somewhere around 8.2xx or 8.3xx.  Support is looking into it --- the tunnels really should re-connect automatically if theres a failure, but they don't sometimes.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    The problem started here last summer when cisco released a buggy firmware for ASA..

    Meanwhile most of our customers use newer firmware, so I have only some 5 of them remaining with the buggy firmware that make this problems and force a daily manual tunnel restart.

    The error occurs on IKE rekeying
  • 0 in reply to papa__01
    Papa, I think you hit the nail on the head, I think my customer is having this exact problem, older Cisco hardware having issues during rekeying.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    @papa_:  Do you happen to know the "broken" version(s) of ASA firmware and the first version in which it was fixed?  Even better if you know the Caveat ID.  [:)]
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Was this "CSCtc47782 Malformed IKE traffic causes rekey to fail" that was fixed in Version 7.0.8.12 – 02/25/2011?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Cookie Information Banner