We observed a pike in problems with IPSec VPN tunnels lately.
The following symptoms are very typical to identify this problem
- The IPSEC Tunnel is up, but no or only one-way traffic flow is going through the tunnel.
- If there are multiple VPN tunnels set up, only one or a few of all the tunnels may be affected.
- The problem is highly sporadic.
- The problem is not related to a firewall vendor.
- Internet line is provides by Swisscom with a Business DLS modem. Known as Smart BCON or SBCON.
- Also, modems from Fritzbox! and UPC or Sunrise were affected in some cases.
How to check if you are affected by this issue
For a first overview, you can check the Outgoing and Incoming Data counter on the Firewall. You can see there, that one of the counters is not incrementing anymore:
For a more reliable troubleshooting, you can do a packet trace on both sides of the VPN tunnel. You should see incoming and outgoing ESP packets. If you only see outgoing but no incoming ESP packets, you are probably affected by this issue.
FortiGate CLI command
126.96.36.199 should be replaced by the remote public IP terminating the VPN tunnel.
# Temporarily disable the hardware acceleration # Please note disabling NP will cause the tunnel to flap config vpn ipsec phase1-interface edit phase-1-name set npu-offload disable end # Capture the ESP packets diagnose sniffer packet any "host 188.8.131.52 and esp" 4 0 a # Turn the hardware acceleration back on config vpn ipsec phase1-interface edit phase-1-name unset npu-offload end
WatchGuard Diagnostic Task > TCP Dump
Replace 184.108.40.206 by the remote public IP terminating the VPN tunnel.
Enable Advanced Options > -i any host 220.127.116.11 and esp
- Reboot the firewall
- Reboot the router
- Enforce or enable NAT-Traversal
How to disable the IPSec feature on a Swisscom router
We found out that this issue could be related to the enabled Peer-to-Peer VPN function on the Swisscom router.
You can disable the function for test purposes as follow:
As soon as the function is disabled and the router is rebooted, the problem is resolved.
Please note, that the solution (disabling the VPN feature) has to be implemented on both sides of the tunnel. Also, the VPN feature could be enabled again after a firmware upgrade on Swisscom routers.
Please note, that it also may possible that other router models are affected by this issue and we are just not yet aware of it. Please let us knowin the comments if you experience similar issues with your setup.
If the problem is still not solved after disabling the VPN feature on your router, you may have a look into our Blog Post Fortigate S2S-Dialup VPN – Traffic does not run through IPsec tunnel anymore.