IPsec Packet Loss, Dropped RDP Connections
-
I have a C2758 in a corporate office, an APU4 in one remote and a SG-2220 in another. The C2758 and SG-2220 were running 2.4.2, both have recently been upgraded to 2.4.2_1. The APU4 is running 2.3.5_1. All sites are on-net with the same provider. Both remote sites are connected to the C2758 with IPsec tunnels. The tunnels are identical except for the different subnet information in the phase 2 entry. The remote offices run entirely off of the thin clients. They connect to a server behind the C2758. The office that the APU4 is running in has been rock solid, but the SG-2220 has been a problem almost daily. As far as I can tell, the tunnel will never disconnect, but users will intermittently experience poor performance or be completely disconnected from their thin client session. Moments later, they can login again and resume work as usual. Bandwidth utilization never seems to be a problem. The only other network devices in the facility are VoIP phones that go through the SG-2220 to a 3rd party provider on the internet, but not the IPsec tunnel. They are completely unaffected when the RDP disconnects happen. I have MSS Clamping enabled and set to 1300 and the remote LAN address is used for a ping destination on both ends of the tunnel to keep it up.
This could be completely unrelated, or normal functionality, but I've noticed two child SA / phase 2 entries for the tunnel occasionally when viewing Status > IPsec > Overview. The first one will generally show almost no traffic statistics though. Example screen cap attached.
Below is the IPsec log for the SG-2220 (IP sanitized)
Feb 6 18:25:13 charon 11[ENC] <4> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 6 18:25:13 charon 11[NET] <4> sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (244 bytes) Feb 6 18:25:13 charon 11[NET] <4> received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (108 bytes) Feb 6 18:25:13 charon 11[ENC] <4> parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Feb 6 18:25:13 charon 11[CFG] <4> looking for pre-shared key peer configs matching ***SG-2220 WAN IP***...***C2758 WAN IP***[***C2758 WAN IP***] Feb 6 18:25:13 charon 11[CFG] <4> selected peer config "con1000" Feb 6 18:25:13 charon 11[IKE] <con1000|4>IKE_SA con1000[4] established between ***SG-2220 WAN IP***[***SG-2220 WAN IP***]...***C2758 WAN IP***[***C2758 WAN IP***] Feb 6 18:25:13 charon 11[IKE] <con1000|4>scheduling reauthentication in 28118s Feb 6 18:25:13 charon 11[IKE] <con1000|4>maximum IKE_SA lifetime 28658s Feb 6 18:25:13 charon 11[ENC] <con1000|4>generating ID_PROT response 0 [ ID HASH ] Feb 6 18:25:13 charon 11[NET] <con1000|4>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (76 bytes) Feb 6 18:25:13 charon 10[NET] <con1000|4>received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (236 bytes) Feb 6 18:25:13 charon 10[ENC] <con1000|4>parsed QUICK_MODE request 3120654248 [ HASH SA No ID ID ] Feb 6 18:25:13 charon 10[ENC] <con1000|4>generating QUICK_MODE response 3120654248 [ HASH SA No ID ID ] Feb 6 18:25:13 charon 10[NET] <con1000|4>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (188 bytes) Feb 6 18:25:14 charon 10[NET] <con1000|4>received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (60 bytes) Feb 6 18:25:14 charon 10[ENC] <con1000|4>parsed QUICK_MODE request 3120654248 [ HASH ] Feb 6 18:25:14 charon 10[IKE] <con1000|4>CHILD_SA con1000{6} established with SPIs cb2e6c35_i c06ed296_o and TS 192.168.30.0/24|/0 === 192.168.1.0/24|/0 Feb 6 18:25:17 charon 12[IKE] <con1000|3>sending retransmit 1 of request message ID 0, seq 2 Feb 6 18:25:17 charon 12[NET] <con1000|3>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (244 bytes) Feb 6 18:25:17 charon 12[NET] <con1000|3>received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (244 bytes) Feb 6 18:25:17 charon 12[ENC] <con1000|3>parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Feb 6 18:25:17 charon 12[ENC] <con1000|3>generating ID_PROT request 0 [ ID HASH ] Feb 6 18:25:17 charon 12[NET] <con1000|3>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (76 bytes) Feb 6 18:25:17 charon 12[NET] <con1000|3>received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (76 bytes) Feb 6 18:25:17 charon 12[ENC] <con1000|3>parsed ID_PROT response 0 [ ID HASH ] Feb 6 18:25:17 charon 12[IKE] <con1000|4>detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs Feb 6 18:25:17 charon 12[IKE] <con1000|3>IKE_SA con1000[3] established between ***SG-2220 WAN IP***[***SG-2220 WAN IP***]...***C2758 WAN IP***[***C2758 WAN IP***] Feb 6 18:25:17 charon 12[IKE] <con1000|3>scheduling reauthentication in 28142s Feb 6 18:25:17 charon 12[IKE] <con1000|3>maximum IKE_SA lifetime 28682s Feb 6 18:25:17 charon 12[ENC] <con1000|3>generating QUICK_MODE request 3872375894 [ HASH SA No ID ID ] Feb 6 18:25:17 charon 12[NET] <con1000|3>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (236 bytes) Feb 6 18:25:17 charon 12[NET] <con1000|3>received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (188 bytes) Feb 6 18:25:17 charon 12[ENC] <con1000|3>parsed QUICK_MODE response 3872375894 [ HASH SA No ID ID ] Feb 6 18:25:17 charon 12[IKE] <con1000|3>CHILD_SA con1000{7} established with SPIs c7c5c546_i c2f912e1_o and TS 192.168.30.0/24|/0 === 192.168.1.0/24|/0 Feb 6 18:25:17 charon 12[ENC] <con1000|3>generating QUICK_MODE request 3872375894 [ HASH ] Feb 6 18:25:17 charon 12[NET] <con1000|3>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (60 bytes) Feb 6 18:25:23 charon 05[IKE] <con1000|4>sending DPD request Feb 6 18:25:23 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 1626032538 [ HASH N(DPD) ] Feb 6 18:25:23 charon 05[NET] <con1000|4>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (92 bytes) Feb 6 18:25:23 charon 05[NET] <con1000|4>received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (92 bytes) Feb 6 18:25:23 charon 05[ENC] <con1000|4>parsed INFORMATIONAL_V1 request 644715972 [ HASH N(DPD) ] Feb 6 18:25:23 charon 05[ENC] <con1000|4>generating INFORMATIONAL_V1 request 581045535 [ HASH N(DPD_ACK) ] Feb 6 18:25:23 charon 05[NET] <con1000|4>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (92 bytes) Feb 6 18:25:23 charon 12[NET] <con1000|4>received packet: from ***C2758 WAN IP***[500] to ***SG-2220 WAN IP***[500] (92 bytes) Feb 6 18:25:23 charon 12[ENC] <con1000|4>parsed INFORMATIONAL_V1 request 3162628574 [ HASH N(DPD_ACK) ] Feb 6 18:25:27 charon 16[IKE] <con1000|4>deleting IKE_SA con1000[4] between ***SG-2220 WAN IP***[***SG-2220 WAN IP***]...***C2758 WAN IP***[***C2758 WAN IP***] Feb 6 18:25:27 charon 16[IKE] <con1000|4>sending DELETE for IKE_SA con1000[4] Feb 6 18:25:27 charon 16[ENC] <con1000|4>generating INFORMATIONAL_V1 request 1864092145 [ HASH D ] Feb 6 18:25:27 charon 16[NET] <con1000|4>sending packet: from ***SG-2220 WAN IP***[500] to ***C2758 WAN IP***[500] (92 bytes)</con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|4></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4></con1000|4>
Suggestions on anything else to look for? Any help would be greatly appreciated.