We have several RV55 routers with site-to-site IPSec tunnels connecting back to a Cradlepoint. Every once in a while, the VPN tunnel shows down on the RV55. The Cradlepoint logging shows that it is continuously trying to negotiate the IKE_SA. If we manually bring the tunnel down and back up on either end, nothing changes. But if we reboot the RV55, everything comes back up as it should. We are starting to collect information to see if this has started since upgrading the RV55s to 4.16.2.
In the RV55 logging, we see the following logs repeating:
ar 1 18:18:08 notice ALEOS_SECURITY_Firewall: VPN tunnel is down - inserting drop rules for 10.xxx.0.0/16
Mar 1 18:18:08 notice ALEOS_SECURITY_Firewall: Applying IPv4 firewall configuration
Mar 1 18:18:08 err ALEOS_SECURITY_Firewall: Failed to apply firewall configuration
Mar 1 18:18:08 err ALEOS_SECURITY_Firewall: iptables-restore: line 34 failed
Mar 1 18:18:08 notice ALEOS_SECURITY_Firewall: Removing bad line: -A DropRuleChain -s 10.xxx.x.0/28 -o wwan0 -d 10.xxx.0.0/16 -j DROP
Mar 1 18:18:08 err ALEOS_SECURITY_Firewall: Failed to apply firewall configuration
Mar 1 18:18:08 err ALEOS_SECURITY_Firewall: iptables-restore: line 34 failed
Mar 1 18:18:08 notice ALEOS_SECURITY_Firewall: Removing bad line: -A DropRuleChain -s 10.xxx.x.1 -o wwan0 -d 10.xxx.0.0/16 -j DROP
Mar 1 18:18:08 notice ALEOS_SECURITY_Firewall: Successfully applied firewall configuration
Mar 1 18:18:08 err ALEOS_SECURITY_Firewall: Drop rules applied to incomplete firewall configuration
At the very least, is there a configuration option available to have the RV55 reboot when a VPN tunnel is down. It does not appear the Cellular or Host Interface Watchdogs will help us in this case.
Hi @patrick.white,
Welcome to our community!
-
Based on the log you provided, I found a similar issue that was raised and it was recommended to upgrade to ALEOS firmware 4.17.1 on an RV55 device to see if it resolves the issue.
-
In case the issue persists even after upgrading to version 4.17.1, please provide full log file and template file with me.
And I have a few additional concerns as follows:
-
“We are starting to collect information to see if this has started since upgrading the RV55s to 4.16.2”
→ So, according to this, your device was working fine before upgrading to 4.16.2, and the issue started to occur occasionally after the upgrade? Is that correct?
-
How many devices are affected by this issue?
Thanks,
Hi Jerdung,
Thank you for your reply and sorry for the slow response. We followed your advice and upgraded this device to 4.17.1 after testing 4.17.1 on a spare. Within an hour, the VPN started disconnecting several times with the similar log messages (pasted below, I’m unable to upload attachments as a new user.) And by several times, I mean it would only stay connected about a minute, and then drop again, continuously.
Mar 11 15:05:24 info racoon: 2024-03-11 15:05:24: ERROR: sendmsg (Operation not permitted)
Mar 11 15:05:24 info racoon: 2024-03-11 15:05:24: ERROR: sendfromto failed
Mar 11 15:05:24 info racoon: 2024-03-11 15:05:24: ERROR: phase1 negotiation failed due to send error. afb51831a539080f:0000000000000000
Mar 11 15:05:24 info racoon: 2024-03-11 15:05:24: ERROR: failed to begin ipsec sa negotication.
Mar 11 15:05:31 notice ALEOS_SECURITY_Firewall: VPN tunnel is down - inserting drop rules for 10.248.0.0/16
We retrieved the device from the field (swapped it with another device running 4.16.2). Now that we have it back on the bench we are going to go through the config and see if there is something we missed, see if we can re-create the problem here, etc. I’m curious about the “send error” mentioned in the logs.
As for the other devices I mentioned, we have not had any more repeated problems. Those may have been completely isolated and coincidental issues related to the cold snap we had at the time (between -20 and -40F.) So, we are monitoring those and will report any patterns.