IPSec VPN Issues: No traffic through the tunnel caused by dropped ESP packets on the DSL modem

We observed a pike in problems with IPSec VPN tunnels lately.

The following symptoms are very typical to identify this problem

  • The IPSEC Tunnel is up, but no or only one-way traffic flow is going through the tunnel.
  • If there are multiple VPN tunnels set up, only one or a few of all the tunnels may be affected.
  • The problem is highly sporadic.
  • The problem is not related to a firewall vendor.
  • Internet line is provides by Swisscom with a Business DLS modem. Known as Smart BCON or SBCON.
  • Also, modems from Fritzbox! and UPC or Sunrise were affected in some cases.

How to check if you are affected by this issue

For a first overview, you can check the Outgoing and Incoming Data counter on the Firewall. You can see there, that one of the counters is not incrementing anymore:

FortiGate IPSec Monitor
WatchGuard Firebox System Manager

For a more reliable troubleshooting, you can do a packet trace on both sides of the VPN tunnel. You should see incoming and outgoing ESP packets. If you only see outgoing but no incoming ESP packets, you are probably affected by this issue.

FortiGate CLI command should be replaced by the remote public IP terminating the VPN tunnel.

# Temporarily disable the hardware acceleration
# Please note disabling NP will cause the tunnel to flap
config vpn ipsec phase1-interface
  edit phase-1-name
    set npu-offload disable

# Capture the ESP packets
diagnose sniffer packet any "host and esp" 4 0 a

# Turn the hardware acceleration back on
config vpn ipsec phase1-interface
  edit phase-1-name
    unset npu-offload

WatchGuard Diagnostic Task > TCP Dump
Replace by the remote public IP terminating the VPN tunnel.

Enable Advanced Options > -i any host and esp

Temporary solution

  • Reboot the firewall
  • Reboot the router
  • Enforce or enable NAT-Traversal

How to disable the IPSec feature on a Swisscom router

We found out that this issue could be related to the enabled Peer-to-Peer VPN function on the Swisscom router.
You can disable the function for test purposes as follow:

As soon as the function is disabled and the router is rebooted, the problem is resolved.

Please note, that the solution (disabling the VPN feature) has to be implemented on both sides of the tunnel. Also, the VPN feature could be enabled again after a firmware upgrade on Swisscom routers.

Please note, that it also may possible that other router models are affected by this issue and we are just not yet aware of it. Please let us knowin the comments if you experience similar issues with your setup.

If the problem is still not solved after disabling the VPN feature on your router, you may have a look into our Blog Post Fortigate S2S-Dialup VPN – Traffic does not run through IPsec tunnel anymore.


Leave a Reply

Your email address will not be published. Required fields are marked *