Showing results for 
Search instead for 
Do you mean 
Reply
Axon
Posts: 5
Registered: ‎07-04-2008

AG300 VPN Problem

Having a problem with AG300 IPSec VPNs. If the VPN device at the remote end (not a Linksys device) is restarted, the AG300 at the local end will not allow the IPSec VPN to be re-established. It appears to block new VPN establishment attempts (IKE packets) from the remote end. The AG241 and other Linksys models do not have this issue and always allow the VPN to be re-established. The problem appears to be specific to the AG300. The only workaround we have found is to stop and start the IPSec VPN on the AG300 manually every time the other end is restarted. Is there a configuration change or firmware upgrade available that fixes this problem ? We be happy to buy AG241s instead but they are no longer available.
Lostprophet1016
Posts: 168
Registered: ‎06-19-2008

Re: AG300 VPN Problem

Go to advanced settings under the VPN tab and set it to aggressive mode, check keep alive and uncheck "If IKE failed more than __ times, block this unauthorized IP for __ seconds". Also make sure that Phase 1 and phase 2 settings on both gateways are the same. 

Axon
Posts: 5
Registered: ‎07-04-2008

Re: AG300 VPN Problem

I already had all our AG300s configured that way except for using aggressive mode. I've now tried aggressive mode and unfortunately the problem persists. If it had worked though it would not have been a optimal solution since aggressive mode is slightly less secure (no identity protection) and is an optional part of the IPSec protocol.
Lostprophet1016
Posts: 168
Registered: ‎06-19-2008

Re: AG300 VPN Problem

Disable Block Anonymous Internet Requests  under the firewall tab and set MTU  to manual, size is 1466 or better contact your ISP on the exact MTU value they are using for their service.
Axon
Posts: 5
Registered: ‎07-04-2008

Re: AG300 VPN Problem

Block Anonymous Internet Requests is already disabled on all our AG300s. I believe we would be having other problems if this was an MTU issue. If I replace the AG300 with an AG241 it works fine without any adjustments to MTU settings. We have several AG300s and several AG241s installed with a variety different ISPs and presumably a variety of different MTUs. All the AG300s suffer from this issue. All the AG241s are fine. My guess is that the AG300 firmware has a bug. When the other end of the VPN is restarted (in our case a Linux firewall running OpenSwan), the AG300 rejects all attempts from the other end to re-establish the VPN. The AG300 appears to think the VPN is still up and rejects the connection on this basis. A quick restart of IPSec on the AG300 results in the VPN re-establishing immediately.
Axon
Posts: 5
Registered: ‎07-04-2008

Re: AG300 VPN Problem

I'm puzzled as to why the AG241 works fine but not the AG300. We standardized on the AG241 for all our clients because it worked so well but these are no longer available. Perhaps an enhancement added to the AG300 code to make it more secure has accidentally caused this issue. Would someone from Linksys be able to advise if they think this could be a firmware bug ?
slynz
Posts: 1
Registered: ‎08-07-2008

Re: AG300 VPN Problem

It appears that the problem occurs when the remote security gateway is set to an IP address or FQDN. This issue does not exist if the remote security is set to ANY.
Axon
Posts: 5
Registered: ‎07-04-2008

Re: AG300 VPN Problem

Thanks for your help. I guess that means relying on the VPN device at the other end to always do the initiation of the connection. That should work fine in my case but I would prefer Linksys to fix what I assume is a firmware bug.
FredWP
Posts: 594
Registered: ‎10-01-2006

Re: AG300 VPN Problem

Try to contact Linksys live chat and ask for a beta firmware, or for any other resolution if it doesn't help (like ask if they acknowledge the problem and offer any temporary solution).