All traffic is redirected to tunnel

Tomvr · April 8, 2024, 10:44am

We are experiencing a lot of problems with RUT-951 routers from firmware RUT9M_R_00.07.06.3

The specific routers are equipped with the above firmware version and with 4G sim card. They are using an IPSec tunnel. When the failover is trigger due to the fact that the 4G connection is lost/renewed. All traffic is redirected into the tunnel which results that the devices within the LAN are losing their internet connection. At that moment, the device are going offline and the NFC-terminals can not get connection with their payment host. This results in an order of order situation from our Payment terminals. The only way to resolve this is to reboot the router.
Is this a know issue? What can we do to avoid this situation? A default route is configured with the IPSec configuration. We didn’t had any problem with previous firmware versions.

yevhenii · April 9, 2024, 7:29am

Hello,

Thank you for question.

Is it correct that your default traffic going only over the tunnel, I believe over the tunnel should be only for a specified range of addresses, but not for 0.0.0.0/0, obviously it forces all traffic to go over the tunnel, maybe your case is designed to going over the tunnel for internet and so on?

Share with me routing information, execute this command route -n, and send results to me.

Also i would recommend you to update to 07.06.10 which is may to resolve problem - RUT951 Firmware Downloads - Teltonika Networks Wiki (teltonika-networks.com)

Kind Regards

Tomvr · April 10, 2024, 6:15am

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 4 0 0 qmimux0
10.198.23.96 0.0.0.0 255.255.255.224 U 1 0 0 br-lan
178.145.4.151 0.0.0.0 255.255.255.255 UH 4 0

Tomvr · April 11, 2024, 5:37am

I have update the routers which experience the problem to the most recent firmware but still see the same problem. It looks like the problem is less frequent but due to a renew of the 4G connection, the router start to route all traffic into the tunnel. After a reboot of the router, it’s normal again. We need a permanent solutions. What do you suggest?

yevhenii · April 11, 2024, 8:38am

Hi,

From your route information, I see that is fine at the current moment, it would be better to list routes when the issue appears, but anyway, I would ask you to download the troubleshoot file from the device and share it with me.
I will share with you instructions on how to share data with me.

Triubleshoot file you can download from device here:
System->Maintenance->Troubleshoot

Kind Regards

Tomvr · April 11, 2024, 9:59am

Hi Yevhenii,

it’s not clear to me how I can share data with you. I have filled in the form but I wasn’t able to add the data.

yevhenii · April 11, 2024, 11:17am

So you tried to send the file and what happened, fil didn`t upload or other problem appear?

kind regards

Marijus · April 12, 2024, 6:11am

Hi @Tomvr,

You should have received an email in your inbox. Please respond to it and attach the troubleshoot file.

Best regards,
Marijus

Tomvr · April 15, 2024, 6:17am

Hi Marijs, i have already replied on your email and filled in the ‘Teltonika community request for private communication’ but no-one has reached out yet. Not sure what I can do more.
I do have the trouble shoot file ready.

Tomvr · April 15, 2024, 6:33am

Hi Marijs, I receive a ‘Undeliverable’ response when I reply on your email. Any other suggestions?

mx07-001ce401.pphosted.com rejected your message to the following email addresses:

Community Networks (community-networks@teltonika.lt)
Your message wasn’t delivered because the recipient’s email provider rejected it.

Marijus · April 15, 2024, 6:39am

Hello,

I’ve resent the email to you. Please double-check if you received it and reply with the troubleshoot file attached.

Kind regards,
Marijus

Tomvr · April 16, 2024, 6:10am

Hi Marijus, I just made my 3th attempt to reply on your email but still get an undeliverable response. Can you provide me a support email address?

Marijus · April 16, 2024, 7:00am

Hi,

I have sent you multiple emails with only single “out of office” response. Please check your spam or other inboxes.

Best regards,

Marijus

Tomvr · April 16, 2024, 9:38am

I did receive all your emails and replied to them but I do have the idea that the emails are not get to you. Do you have a support email address which I can use to provide you the troubleshoot logging?

Marijus · April 16, 2024, 10:04am

Hi,

You can try contacting us directly at https://teltonika-networks.com/ via “Contact Us” form. As a reference you can supply link to this forum post.

Best regards,

Marijus

yevhenii · April 18, 2024, 7:33am

Hi, @Tomvr

I have recieve your troubleshoot file:

Thu Apr 11 07:23:25 2024 local0.notice vpn: + 13.94.140.80 10.199.0.0/24 == 13.94.140.80 – 37.184.253.208 == 10.198.23.64/27
Thu Apr 11 07:23:25 2024 daemon.info ipsec: 09[ENC] <toAzure-toAzure_c|1> generating QUICK_MODE request 760803930 [ HASH ]
Thu Apr 11 07:23:25 2024 daemon.info ipsec: 09[NET] <toAzure-toAzure_c|1> sending packet: from 37.184.253.208[4500] to 13.94.140.80[4500] (60 bytes)
Thu Apr 11 07:23:32 2024 daemon.info dnsmasq[5099]: read /etc/hosts - 4 addresses
Thu Apr 11 07:23:32 2024 daemon.info dnsmasq[5099]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses
Thu Apr 11 07:23:35 2024 kern.info Mobile data connected (internal modem)
Thu Apr 11 07:23:35 2024 kern.info Joined LTE network (internal modem)
Thu Apr 11 07:23:35 2024 kern.info Connected to Proximus operator (internal modem)
Thu Apr 11 07:23:49 2024 kern.notice Password auth succeeded for admin on HTTPS from 10.199.0.4
Thu Apr 11 07:23:49 2024 daemon.err uhttpd[2446]: vuci: accepted login for admin from 10.199.0.4
Thu Apr 11 07:23:54 2024 daemon.info procd: - init complete -
Thu Apr 11 07:23:55 2024 daemon.info dfota[6437]: Searching for WAN…
Thu Apr 11 07:23:55 2024 daemon.info dfota[6437]: WAN found on interface: mob1s1a1_4
Thu Apr 11 07:23:55 2024 daemon.info dfota[6437]: Preparing for gsm.modem0 update!
Thu Apr 11 07:23:55 2024 daemon.info dfota[6437]: Searching for updates…
Thu Apr 11 07:23:56 2024 daemon.info dfota[6437]: No update found!

From ligs i see that after initialization of IPSEC, WAN port is detected with mob1s1a1_4 - physical interface, but:
Thu Apr 11 07:30:23 2024 user.info mwan3track[3486]: Check (ping) failed for target “1.1.1.1” on interface mob1s1a1 (qmimux0). Current score: 6

And here is ping trying run over mob1s1a1, did you config any addtional interfaces ?

yevhenii · April 18, 2024, 7:47am

Go to Status->Routes->Static
And make screenshot like my:

With normal state when the internet is accessible and when your devices behind the LAN network, you can’t reach the internet, because from the current perspective it`s looks fine except interface mob1s1a1_4, so I need to differ between these 2 states

Tomvr · April 18, 2024, 12:54pm

Tomvr · April 18, 2024, 12:58pm

What is the meaning of (qmimux0)?

OK2SLC · April 18, 2024, 1:08pm

Hi, I have the same problem with IPSec and remote peer subnet 0.0.0.0/0 as well. I have a RUTX50 with the latest firmware.