IPsec VPN Flip-Flopping when using secondary vpn gateway

Quality_Drive_Away
Quality_Drive_Away Posts: 14  Freshman Member
First Anniversary Friend Collector First Comment
edited April 2021 in Security
Models: USG210, USG20W-VPN, USG20-VPN
Firmware: v4.33

Our 17 remote ZyXEL sites flip-flop connection every 20-30 seconds when we add the secondary IP in the vpn gateway to connect to the corporate router's fail-over internet connection. I have worked with the corporate router vendor and the fail-over on the corporate side is configured correctly. Here is the details on that configuration if it helps to determine the ZyXEL's behavior.

On the ZyXEL side... nothing fancy. Mainly defaults; I just added the VPN connections and they work. Tried to add the secondary gateway IP and I get flip-flops. Back and forth between the Primary and Secondary vpn gateway IPs'. ~ weird behavior and could use some help getting this working right.

Thanks!

All Replies

  • Quality_Drive_Away
    Quality_Drive_Away Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @Quality_Drive_Away
    We would like to clarify this case further, so can you collect the Log and diagnostic information for me.
    Before collect Log message, please go to log&report>log settings>system log profile>enable IKE,IPSec and VPN Dashboard on debug level

    Diagnostic information

    Charlie
  • Quality_Drive_Away
    Quality_Drive_Away Posts: 14  Freshman Member
    First Anniversary Friend Collector First Comment
    I will have to do this after hours or on the weekend as it is very disruptive to the remote locations.
    Do you want the logs from all 17 remote routers or will just 1 be good?

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    First Anniversary Friend Collector First Answer First Comment
    @Quality_Drive_Away
    The collected information from local site and remote side should be enough.
    Charlie

Security Highlight