IPSec VPN Tunnel Issue Cisco RV320

servicad
servicad used Ask the Experts™
on
We're using a Cisco RV320 at one of our locations.
It's primarily used for two Hardware VPN's using IPSec.  Tunnel 1 goes to our hosted server (which has no issues) and Tunnel 2 goes to a Rogers hosted server.

Recently, the Rogers hosted server location changed their WAN IP.  Therefore, I rebuilt Tunnel 2 to point to the new WAN IP and was able to establish the connection and the Tunnel went UP.  All remote LAN IP's and IPSec protocols remained the same, the only change was the WAN IP.

Since this change, accessing remote server resources on Tunnel 2 is intermittent.  i.e in the morning it will be inaccessible, but a few hours in the afternoon it will be accessible  During this whole time, VPN Tunnel 2 remains UP and doesn't go down, we just cannot communicate with the Remote LAN IP....

I asked the Rogers tech to change back to the old Remote WAN IP for testing.  As soon as we changed back to the old Remote WAN IP, all resources became available again.....  We then changed back to the new Remote WAN IP and server resources once again became unavailable.  During these VPN changes, I've made sure to reboot our Cisco RV320 numerous time's as well as rebuilt this tunnel.

In addition to this, we have 4 other locations with the same Cisco RV320 on the same firmware connecting to the old Remote WAN IP of the Rogers hosted server.  We briefly tested the remote WAN IP change on another router's Tunnel 2, and the same issue occurred as it did on the other one.

My suspicion is something to do with the Rogers hosted server routing between the WAN and LAN interfaces but they're refusing otherwise and pointing this issue to our Cisco RV320.  I've reviewed the logs on the RV320 as well as checked the firewall rules.....but the only thing that has changed is the remote WAN IP on Tunnel 2 to connect to the Rogers hosted server.  

Any info on this scenario will greatly help me narrow down the issue.  

Thank you and Merry Christmas!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I am using a Cisco RV325 with IPsec Tunnels on a Rogers network. IP Address is 99.x.x.x. here. Make sure your tunnel looks similar to the below.

Description
Tunnel Number 5
Interface on Router WAN 1
Enabled

Local Gateway Type: IP Only
(External) IP address
Local Security Group type: Subnet
192.168.000.0
255.255.255.0

Remote Gateway Type: Dyn IP + Email  (or what you need)
Remote IP address or email address  (these two are likely IP for you)
Remote Security Group type: Subnet
192.168.222.0
255.255.255.0

Keying Mode: IKE Pre-share
Phase 1
Group 2
3DES
SHA1
28800 Sec.
PFS OFF

Phase 2
Group 2
3DES
SHA1
3600 Sec.
Pre-shared key

Advanced
Main Mode (for site to site)
Compress OFF
Keep Alive ON Default
AH Hash (MD5) I have OFF
NetBIOS OFF
Nat Traversal ON or OFF whichever works
Top Expert 2013

Commented:
I would agree, it definitely sounds like a Rogers issue, but maybe not routing if it works sometimes and not others.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
As noted, I am using Rogers myself. It could be an issue with the IP range or something to do with the Rogers modem.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hi John,

Thanks for your input!

Ours is configured the same as your except our Phase 1 lifetime is 86400 and not 28800.

However, as I specified in my post, we have 4 other RV320's for the same company at different locations, and all are running the same IPSec configuration to Rogers and currently have no issue.  It's only at the time we change the Remote WAN IP to Rogers hosting we see the issue arise.
Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
You are probably fine then, with your configuration. I would contact Rogers Support. I had a slower modem, changed to an Ariss modem and did not even change IP. So I would contact them.

Author

Commented:
Rogers determined there must be an issue with their setup.  They see my traffic inbound when sending ICMP packets, but they do not return a reply.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thank you for the update.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial