RUT950 - IPSec Connection from a network device disconnected after a time

Hello,

I have got a RUT950 device with a networkdevice on LAN site, which use ipsec connection for secure communication.
At begin all is fine, after some time the connection is disconnected. I cant’t see any traffic from the RTU950, there are no more requests from the router at WAN side.

After restarting the router, the error is resolved, but only for a short time.

What can ich do for troubleshooting ? what diagnosis and analysis options are there on the router to find the cause? Or is there a known bug ?

I used the newest Firmware Version: RUT9XX_R_00.07.04.05

Hello,

Please ensure that the ‘IKE Lifetime’ and ‘Lifetime’ in both Phase 1 and Phase 2 settings for IPSec are identical to the values on the other device you’re using to create the IPSec connection. It’s important that these settings match on both devices. Keep in mind that you can specify the lifetime using the ‘h’ notation for hours.

You can also enable DPD in IPSec → Connection settings → Advanced settings tab → Dead peer detection.

Let me know if this fixes your issue.

Kind Regards,

Hello AndzejJ,

thanks for your answer. I have no ipsec connection to the router himself! Is your answer also applicable?

the lan device connects with ipsec to a server on interface side wwan0. i have make a tcp dump. i see the request on lan side, but not on wwan0!!! after the request the router answer with icmp net IP unreachable. The connection is still okay, ich can ping other server etc. after reboot all is fine.

Hello,

If you’re not using IPSec directly on the router, you don’t have to make changes there.

Could you try modifying these IKE lifetimes on your LAN device and server?

Do you have any logs related to IPSec from your devices?

Is it just the IPSec that has this issue? Is internet working fine?

Additionally, please see if there’s a pattern to how often this issue occurs. Does it happen randomly, or does it happen at specific time intervals, like every 30 minutes?

Kind Regards,

Dear AndzejJ,

i’ve make a tcpdump. on lan-side i see the ipsec request for initialization. But the router answer with icmp net ip unreachable. Why? On wwan0 interface side there are no packets from the router. Why does the router block the Traffic request?

After reboot the router, all is fine. But only for a little time!

Hello,

By default, all traffic from LAN to WAN is allowed. Could you please provide more details about your configurations and network? Did you make any changes to the configurations?

Also, did you update the firmware recently? If you updated recently, could you please try restoring the device to factory defaults in System → Backup? This would eliminate any potential issues that could have occured during firmware update.

Kind Regards,

Yes, I update the newest firmware. When i reset to factory setting i lost the remote ssh access. right ?
Wich information of the network and configuration are helpful for you?

Hello,

Yes, the remote SSH access will be lost.

Configurations related to network interfaces, failover, firewall, as well as routes (‘route -n’ command) for now. Before posting, make sure to hide any sensitive information, such as public IP addresses. Also, it would be great if you could check logs from System → Administration → Troubleshoot → ‘View’ system logs. Are there any errors or anything iteresting that happens around the time when the connection is lost?

Kind Regards,

the connection lost at 13:07:30
system log:
Thu Aug 31 13:00:00 2023 cron.err crond[4301]: USER root pid 19769 cmd /etc/init.d/rut_fota start
Thu Aug 31 13:00:01 2023 cron.err crond[19829]: crond (busybox 1.34.1) started, log level 5
Thu Aug 31 13:08:17 2023 kern.info kernel: [10000.405175] device br-lan left promiscuous mode
Thu Aug 31 13:08:24 2023 kern.info kernel: [10006.989609] device br-lan entered promiscuous mode
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 37 ::1/40140 query[PTR] 1.1.168.192.in-addr.arpa from ::1
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 37 ::1/40140 /tmp/hosts/dhcp.cfg01411c 192.168.1.1 is Teltonika-RUT950.com
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 38 127.0.0.1/40140 query[PTR] 1.1.168.192.in-addr.arpa from 127.0.0.1
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 38 127.0.0.1/40140 /tmp/hosts/dhcp.cfg01411c 192.168.1.1 is Teltonika-RUT950.com
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 39 ::1/46211 query[PTR] 90.1.168.192.in-addr.arpa from ::1
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 39 ::1/46211 config 192.168.1.90 is NXDOMAIN
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 40 127.0.0.1/46211 query[PTR] 90.1.168.192.in-addr.arpa from 127.0.0.1
Thu Aug 31 13:08:26 2023 daemon.info dnsmasq[3347]: 40 127.0.0.1/46211 config 192.168.1.90 is NXDOMAIN
Thu Aug 31 13:08:28 2023 daemon.info dnsmasq[3347]: 41 ::1/56201 query[PTR] 42.2.0.10.in-addr.arpa from ::1
Thu Aug 31 13:08:28 2023 daemon.info dnsmasq[3347]: 41 ::1/56201 config 10.0.2.42 is NXDOMAIN
Thu Aug 31 13:08:28 2023 daemon.info dnsmasq[3347]: 42 127.0.0.1/56201 query[PTR] 42.2.0.10.in-addr.arpa from 127.0.0.1
Thu Aug 31 13:08:28 2023 daemon.info dnsmasq[3347]: 42 127.0.0.1/56201 config 10.0.2.42 is NXDOMAIN

it seems as if the router is no longer forwarding all UDP packets. TCP works.

Hello,

The logs are fine. Though if the issue is related to DNS, you can try specifying a different DNS server. For this, navigate to Network → Interfaces → edit LAN and add custom DNS servers. For example, 8.8.8.8 and 1.1.1.1. Check if that resolves the issue.

I would also suggest restoring the device whenever you will have the opportunity.

Also, if you are using the public IP of RUT950 to SSH into it, you can enable remote SSH via SMS message:

admin01 sshon

You can also change APN via:

admin01 cellular apn=yourapn

or

uci set network.mob1s1a1.apn=yourapn

Where admin01 is your WebUI password.

Kind Regards,

Hello,

i have set the dns ip and the problem was fixed. why does it work for a while and then suddenly it doesn’t work anymore.

under advanced dhcp option 6, we have set a own dns-ip-address. the network device have a fix-ip, it dont use dhcp. Should i also set the dns server in the lan settings?

Hello,

It is possible that the IP address of the other device is dynamic. It is hard to say without knowing your network setup and configurations.

DHCP option 6 pushes DNS server to the DHCP client, while DNS server configured on the LAN is used to resolve DNS queries (DNS is pointing towards RUT on end devices in this case).

It seems that you have fixed the issue. Hence, I do not think that there is a need to set a custom DNS on LAN. However, if you run into the same or similar issue again, I would suggest you try setting DNS on LAN.

Kind Regards,

I will observe how the system behaves now and will report.

Thank you

This topic was automatically closed after 15 days. New replies are no longer allowed.