Author Topic: Peer Status Down with IPsec  (Read 3080 times)

Emmanuel Andry

  • VIP
  • Member
  • ***
  • Posts: 4
    • View Profile
Peer Status Down with IPsec
« on: February 03, 2016, 10:08:22 AM »
Hi there,

I've 2 sites connected via IPsec through 2 arkoon firewalls
On the main site, the Wanos and the arkoon firewall are vmware appliances.

LAN1 --> WANOS(virt) --> ArkoonFW(virt) <---------IPSEC Tunnel--------> Arkoon <-- Wanos <-- Lan2

The fact is the traffic between LANs works, QoS works, but the 2 appliances (IP 192.168.1.253 and 192.168.2.254) just don't communicate with each other.
I can ping and ssh from each peer to each other, everything works... But the encapsulation (tried both ipccomp and udp).

Example of tcpdump from the main one :
# tcpdump -i wan0 |grep IPComp
tcpdump: WARNING: wan0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wan0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:45:52.009448 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:45:52.901770 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc800)
10:45:57.009477 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:02.009487 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:04.866376 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc800)
10:46:07.009489 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:12.009502 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:32.009580 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:37.009598 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:42.009612 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:47.009631 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:46:52.009726 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:02.009771 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:07.009787 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:12.009809 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:17.177163 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:22.177053 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
10:47:27.177077 IP 192.168.1.253 > 192.168.2.253: IPComp(cpi=0xc900)
...

It seems that the IPComp packets are sent to the other peer, but no track of it on the Arkoon firewall 192.168.1.254 (tcpdump is quiet on the arkoon)

Looks like the peer knows the gateway, except when relaying encapsulation...

My logs seems fine, I don't really know where to look to fix it...

Help really needed !




lmolina

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 24
    • View Profile
Re: Peer Status Down with IPsec
« Reply #1 on: February 03, 2016, 11:29:35 AM »
Greetings!

We are here to assist. Have you received an email from Antonie? He put in some common things to look at but we can also troubleshoot via Teamviewer. Feel free to reply back with your Teamviewer ID and Password, on the email, so we can have a session.


Best regards,
MCP

Note: Forum posts may be outdated. Please see wanos.co/docs for more recent info.

ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 625
    • View Profile
Re: Peer Status Down with IPsec
« Reply #2 on: February 03, 2016, 11:59:47 AM »
Hi,

Ok, tcpdump shows the packets are going out but nothing seems to be received from the remote site?

If the peers are not up with either IPComp or UDP, then I think one of the ends lan0/wan0 could be swapped around. This can be verified with the MAC.
Or traffic is not flowing through the bridge in both directions. This can be verified with the interface graphs/tcpdump.
Lastly also double check the Diagnostics -> Health Check to see if the "wan0 gateway" is "Ok".
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

Emmanuel Andry

  • VIP
  • Member
  • ***
  • Posts: 4
    • View Profile
Re: Peer Status Down with IPsec
« Reply #3 on: February 03, 2016, 01:18:14 PM »
Thanks for your replies !

I can have some time later for a Teamviewer Session, but not now.
In health check, wan gateway status is empty on both peers.
I thought about the NIC needed to be swapped, but since Im 1 hour drive from the site, Id like to be sure it can be done without breaking the bridge (Its a real condition test on my customer site), leading to no internet and no remote sites.

I thought that when the Nic were swapped, the message peer on lan0 or something was displayed.

But just confirm that interface swapping is harmless, i'll try it to be sure it's not the problem.


ahenning

  • Team Wanos
  • Administrator
  • Full Member
  • *****
  • Posts: 625
    • View Profile
Re: Peer Status Down with IPsec
« Reply #4 on: February 03, 2016, 01:27:04 PM »
Hi,

Yes, swapping the interfaces port roles under "Network Stats" should not affect traffic for more than 5 seconds. Optimization could possibly start immediately after the change, so it might be a good idea to do it in a change control window.
 
Because both wan0 gateway health checks are blank, it seems both sides are likely lan/wan back to front i.e: wan0-lan0 <---> lan0-wan0. This would explain why neither side detects the peer on the lan side. When the wan0 is set and found on the wan0 network side where the other peers are to be detected, the health check will say "Ok".
CCIE RS, CCIE SP, Mnet&sys

Note: Forum posts may be outdated. Please see the latest documentation at wanos.co/docs

Emmanuel Andry

  • VIP
  • Member
  • ***
  • Posts: 4
    • View Profile
Re: Peer Status Down with IPsec
« Reply #5 on: February 03, 2016, 01:42:03 PM »
NiC swapping on both sites fixed the problem...
I should have asked this yesterday !

Thanks for you great support.