Business Community > Routers > VPN Site to Site traffic stops
< Routers

VPN Site to Site traffic stops

VPN Site to Site traffic stops

VPN Site to Site traffic stops
VPN Site to Site traffic stops
a week ago - last edited a week ago
Tags: #VPN #Routing
Model: ER7206 (TL-ER7206)  
Hardware Version: V2
Firmware Version: 2.2.0 Build 20250218 Rel.17499

Using the Omada software controller, I've setup an IpSec / IKEv2 Site to Site VPN.

Omada ER7206 is the Responder;

A Draytek Vigor router - on VDSL - is the initiator.

 

The VPN connects and works perfectly as expected, but then randomly just stops routing traffic between LAN clients ('local' ER7206 to Remote).

 

When inter-LAN traffic stops, the remote LAN can still ping the Omada gateway LAN IP Address but not beyond to anything behind it.

The Omada LAN can ping the remote LAN gateway (Draytek IP) and beyond.

The VPN is setup to Route not NAT.

 

If I drop and reconnect the VPN, it starts working as expected again.

 

There is no indication at either end of any issues or drop of the VPN.  It is random and can occur any time between 1/2 hour and several hours.  I can't reproduce it at will.

 

Any thoughts on causes or where to look for such issues/logs etc?

 

Thanks,

Klaus
 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:VPN Site to Site traffic stops-Solution
a week ago - last edited a week ago

 

I may have found the issue and a solution (for some).
Noticed a duplicate connection from one site displaying the routing issue:

 

 

 

It would seem that the Draytek (as the initiator), for some reason, 'thought' the link was down and started another tunnel;

The Omada end accepted that 2nd tunnel without the first dropping;

Thus, a routing issue - eg which way out!

 

My solution to get around that was to reverse the establishment process, change Omada to Initiator and Draytek to accept Dial In.

Fortunately, I have all static public IPs

 

That's been up and working as expected for some time now.

 

 

Recommended Solution
  0  
  0  
#5
Options
4 Reply
Re:VPN Site to Site traffic stops
a week ago

Hi @Kadybee 

Thanks for posting in our business forum.

So, nothing has been changed lately on either side and this becomes noticeable?

Can you draw one for the community about your diagram?

Config screenshots as well.

It would be totally strange if you said it has no changes on both sites or the diagram and it suddenly becomes like this.

 

Please mosaic your sensitive information. Here is a list of information considered sensitive:

1. Public IP address on your WAN if your WAN is.

2. Real MAC address of your device.

3. Your personal information including address, domain name, and credentials.

For troubleshooting purposes, when a WAN IP is needed, please leave some values visible for identification.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#2
Options
Re:VPN Site to Site traffic stops
a week ago

  @Kadybee 

 

I have experienced similar issues with draytek routers being the dialling VPN initiator into TP-Link routers.  I would see DPD failures at random, strange connectivity like you are seeing etc.

 

If i remember right, I was able to mostly resolve it by changing the IPsec phase 1 and 2 encryptions to the "lowest" settings the draytek supported and changing the DPD timeout.  But i never fully resolved it.

 

 

Since i switched to TP link at remote site, the VPN is never problematic.  I think its a draytek issue.

Main: ER8411 x1, SG3428X x1, SG3452 x1, SG2428LP x1, SG3210 x1, SG2218P x1, SG2008P x1, ES205G x2, EAP650 x6 Remotes: ER605 v2 x3, SG2008P x2, EAP650 x2 VPN Server: ER7206 v2 Controller: OC300
  0  
  0  
#3
Options
Re:VPN Site to Site traffic stops
a week ago

  @GRL 

 

Thanks for that confirmation.  I suspected as much as the TP-Link Omada based sites VPNs are as solid as.  The only reason I went with the existing Drayteks was the VDSL connection and the lack of Omada in that.  Will switch the drayteks to bridge mode I guess and see where that takes me.

  0  
  0  
#4
Options
Re:VPN Site to Site traffic stops-Solution
a week ago - last edited a week ago

 

I may have found the issue and a solution (for some).
Noticed a duplicate connection from one site displaying the routing issue:

 

 

 

It would seem that the Draytek (as the initiator), for some reason, 'thought' the link was down and started another tunnel;

The Omada end accepted that 2nd tunnel without the first dropping;

Thus, a routing issue - eg which way out!

 

My solution to get around that was to reverse the establishment process, change Omada to Initiator and Draytek to accept Dial In.

Fortunately, I have all static public IPs

 

That's been up and working as expected for some time now.

 

 

Recommended Solution
  0  
  0  
#5
Options

Information

Helpful: 0

Views: 121

Replies: 4

Tags

VPN Routing
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.