VPN disconnect BR100

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
We have 60 BR100 branch routers butt every 24 hours the VPN disconnect.

I have found this inside the logging.
ipsec tunnel 192.168.2.6[4500]<->217.195.233.201[4500] established/rekey ipsec tunnel 192.168.2.6[4500]<->217.195.233.201[4500] expired

I have rebuild the VPN configuration and also the keys butt that was not the solution. 
Photo of Rob Stalpers

Rob Stalpers

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I am having a similar problem. I have an open ticket with support but so for, no resolution. I'll post if we get anywhere with it.
Photo of Manoah Coenraad

Manoah Coenraad, Champ

  • 72 Posts
  • 67 Reply Likes
Hello Will,

Is there any update regarding this issue?
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
No resolution yet.
Photo of Manoah Coenraad

Manoah Coenraad, Champ

  • 72 Posts
  • 67 Reply Likes
Hi will, 

We have found a workaround. We have increased the lifetime timer of the tunnel of the VPN connection to 115 days (which is max). The default lifetime is 24 hours.
Our tunnel is now up and running for at least 9 days.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
Thanks for the suggestion. I'm giving that a shot until there's a real fix.
Photo of Roberto Minotti

Roberto Minotti, Employee

  • 51 Posts
  • 5 Reply Likes
Which version are you using? The Golden release is out (6.5r3) and could be a good start-point for post-install troubleshooting if the issue persist.
Ciao
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I have the problem with the 6.5r3 release as well
Photo of Rob Stalpers

Rob Stalpers

  • 3 Posts
  • 0 Reply Likes
We are using 6.5r1 how do I get the gold release 6.5r3? If I look inside our own hivemanager there is no update available.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You need to update HiveManager to 6.6r3 first.
Photo of Rob Stalpers

Rob Stalpers

  • 3 Posts
  • 0 Reply Likes
We are running HiveOS 6.5r3 Honolulu.2530 on our BR100 and the VPN gateway is running HiveOS 6.6r1b.2338 butt stil the same issue every 24 hours the VPN disconnect.

ipsec tunnel 10.176.95.6[4500]<->77.250.164.241[4500] expired
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Will,

Have you achieved progression with your support case?

Nick
(Edited)
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
Not really. I'm in the process of collecting logs with some debug commands enabled. I'll update with anything that's helpful.
Photo of jryanwill .

jryanwill .

  • 3 Posts
  • 0 Reply Likes
We have the exact same issue on our BR200s to a CVG back at our hosting facility, VPN Tunnel dropping. We tried updating our routers to 6.6r1 however that update caused all of our routers to begin randomly rebooting themselves for no reason at all, different times and sometimes back to back.

Oh and support has been no help, even progressed to a tier 3 support tech and still no help. Just seemed to be throwing at random solutions to the problem.
Photo of joel cuya

joel cuya

  • 11 Posts
  • 0 Reply Likes
We have the same issue on every Phase 1 rekey. The VPN issue was mentioned in the release notes of 6.5r3a. Hopefully, this is already address on this release.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
As a work around, I maxed out the key lifetime values (thanks for the suggestion Manoah). That keeps things up and running for much longer but it will eventually need to re-key and drop for a bit. Not a fix, but it something to get you by. If you haven't already done so, open a ticket. My super awesome account rep was able to escalate the ticket to higher tiers saving some time and troubleshooting on the phone.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Have you been provided with and updated to HiveOS 6.5r3a?
(Edited)
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
No, we are running the "6.5r3 Honolulu.2530" release. I'll ask support about the "a" revision the next time we talk about this case.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Will, you should have had the links via email for the BR100 and BR200.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
Thanks. I'll give it a shot
Photo of joel cuya

joel cuya

  • 11 Posts
  • 0 Reply Likes
Hi Will,

Does 6.5r3a improves your issue with VPN?

Thanks...
Photo of joel cuya

joel cuya

  • 11 Posts
  • 0 Reply Likes
Our tier 3 support informed that the issue is addressed in 6.5r3a and the image is available in HMOL. I have updated our two non-prod CVG yesterday. One CVG run on default 1 day P1 lifetime and the other one with 2 hour P1 lifetime with both P2 set to expired every hour. DPD is enabled with idle interval of 30 seconds, 5 retry every 2 seconds. I have the first rekey after 24 hours. Below are the key events I've analyzed so far from both CVG and BR logs. From monitoring standpoint behind CVG, there is still a registered timeout from until P1 expired and up to P2 re-established.

*** CVG ***
Phase 1 expired - 08:44:32
Phase 1 deleted - 08:44:33
BR subnet deleted by "ip route delete" command - 08:46:02 (Outage started from the monitoring)
Phase 1 established - 08:46:48
Phase 2 expired - 09:00:40
Phase 2 established - 09:00:41
Kernel route redistribution to OSPF - 09:00:41 (End of outage from monitoring)

*** BR200 ***
Phase 1 expired - 08:46:46
Phase 1 deleted - 08:46:47
Phase 1 established - 08:46:49
Phase 2 expired - 09:00:40
Phase 2 established - 09:00:41

One worth noting is during the duration of outage, the tunnel is active. One indication is that syslog from BR which runs on UDP are well received on the Splunk behind CVG.

Haven't tried yet the VPN service with two CVG with this new image. Though in our Prod, the outage duration are being shortened by failover to secondary CVG via OSPF.
Photo of jryanwill .

jryanwill .

  • 3 Posts
  • 0 Reply Likes
Weird because we have updated our BRs to 6.6r1 as well as HMOL and it didn't make a difference with the vpn issue. 6.6 also made our BR200s randomly reboot themselves on their own.

So why would 6.5r3 correct the issue but not 6.6r1?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
HiveOS 6.6r1 is quite a bit older code than 6.5r3 and 6.5r3a.
Photo of jryanwill .

jryanwill .

  • 3 Posts
  • 0 Reply Likes
So their patching doesn't go in order by number? Or is there a difference in release version with different revisions? So is hive manager that we just updated to 6.6r3a newer or older than 6.5r3a?
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
6.5 is the current golden, long term support branch. Its focus is stability.

6.6 is the current feature release branch. Its focus is bringing new features to HiveOS, with as much stability as possible but at the risk of those new features impinging upon it.

HiveOS 6.5r3 was released at the same time as HiveOS 6.6r2.

HiveOS 6.5r3 contains a greater number bug fixes than HiveOS 6.6r2 as HiveOS 6.6r2 was finished prior to 6.5r3 and the focus of attention was rightly on the long term support release at that time regardless.

These additional bug fixes will almost certainly come to a future feature release of HiveOS.

Unless there is a must have feature in the feature release branch, stick with the golden, long term support branch.
(Edited)
Photo of intvlan1shut

intvlan1shut

  • 29 Posts
  • 1 Reply Like
Great info Nick but I have to wonder.... Why isn't this sort of thing in giant bold red letters as a sticky somewhere and or sent out to all customers. How are customers supposed to know this sort of thing? This would be handy when less knowledgeable management folks ask why we're not running the latest (usually higher) number OS.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I have been working with support a lot on this case. They have acknowledged the issue and have a fix for it coming up in the next HiveOS release. The date isn't firm yet, but I've been told that it will be released around the end of this month or early next month.


I have been running a test build with the fix and all is well with my CVG and BR200s. They didn't have a test build for the BR100s, but I'm collecting more data to try and get one.


If you have a case open, ask about getting a copy of the test build. It's based on the 5r3 code. It shows up in HM as "HiveOS 6.5r3 Honolulu.E2530"
(Edited)
Photo of joel cuya

joel cuya

  • 11 Posts
  • 0 Reply Likes
Been there since August last year. The last info I've got from sr. tech engineer is that it will be fixed thru the release of 6.5.r3b. I will try to request for a test build.

Thanks...
Photo of joel cuya

joel cuya

  • 11 Posts
  • 0 Reply Likes
Hi Will,

Is it possible to have a copy of the image? I've tried to request to sr. tech support that I'm working with but not that much on any help.

Thanks...
Photo of Yannick Laurent

Yannick Laurent

  • 4 Posts
  • 0 Reply Likes
Hi all,

Is this issue resolved ?

I'm interested to buy an Aerohive Appliance VPN Gateway with BR100 for our teleworkers. 
So I wonder if I should...

Thanks...
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I've had good luck with 6.5r4. No more drops.
(Edited)
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
After using both the BR100 and BR200, I recommend moving up if the cost isn't prohibitive.
Photo of Will Rhodes

Will Rhodes

  • 45 Posts
  • 9 Reply Likes
I second that recommendation. The BR200 is a better unit.