This article will explain how to troubleshoot site-to-site VPN problems such as VPN disconnections, no traffic in tunnel when VPN is established, VPN is not established again after disconnection. It explains how to set the SA life time on both phase 1 and phase 2, set connectivity check to ensure a constant connectivity in the tunnel, how to allow ESP traffic if there's no traffic in the tunnel but the tunnel is established and how to check if there's any subnet overlaps or policy routes that interfere with the VPN traffic.
Table of Content
1) VPN Disconnections
If your VPN tunnel frequently disconnects, it may indicate a re-key issue. To address this problem, ensure that the "SA Life Time" value is consistent on both Phase 1 and Phase 2 configurations on both sides of the VPN tunnel. By matching these values, you can prevent re-keying discrepancies that may lead to frequent disconnections.
If the issue persists, you can attempt to enable a connectivity check under the "VPN Connection" menu. Configure the "Check these Addresses" option to 184.108.40.206 (Google's DNS server) and enable the connectivity check. This step helps monitor the health of the VPN connection and identifies potential connectivity problems.
2) VPN Connection Failure to Re-establish After Disconnection
In some cases, VPN connections fail to re-establish automatically after a disconnection. This issue can be resolved by enabling the "Nailed-Up" feature in the "VPN Connection" settings within the VPN menu. Enabling this option ensures that the VPN connection will automatically attempt to re-connect after a disruption, minimizing manual intervention.
Note! Please only enable nailed-up on one side because it could lead to connection issues if both firewalls start to try to initiate the connection.
3) Tunnel Established, but No Traffic in the Tunnel
3.1 Allow ESP from WAN to Zywall
If your VPN tunnel is established, but no traffic is passing through, there are a few potential causes to consider. First, verify that the firewall rules allow ESP (Encapsulating Security Payload) traffic from the WAN to the Zywall device. Without proper configuration, the firewall may block ESP traffic, resulting in a impossibility for the firewall to unencrypt encapsulated packets.
3.2 Policy routes / Static routes
If ESP traffic is allowed from the WAN to the Zywall device, review the policy routes associated with both the local subnet of the VPN and the remote subnet of the other side of the VPN tunnel. This verification will help identify any misconfigurations or conflicting routing rules that might be causing the absence of traffic in the tunnel.
Additionally, check for any policy routes or static routes that could interfere with routing traffic into the VPN tunnel. These routes may divert the traffic elsewhere, preventing it from entering the VPN tunnel.
3.3 Subnet Overlap
Another possibility is a subnet overlap, where VPN traffic is unintentionally routed internally instead of through the VPN tunnel. Ensure that the VPN traffic is correctly directed towards the tunnel to avoid such issues.
Check your Ethernet Interfaces, VLANs and other VPN subnets that is used to make sure that you don't have any overlaps of subnets in your firewall.
The easiest way to do this is to navigate to:
Maintenance -> Packet Flow Explore -> Routing Status
Then look through all routes from left to right to see if you have any subnets that are overlapping and causing interference with your current VPN setup.