Reply
New Member
KenPwr
Posts: 32
Registered: ‎09-03-2013
Posts: 32
Kudos: 2
Solutions: 1
Registered: 09-03-2013

New EdgeRouter POE, IPsec issue

[ Edited ]

Have a new EdgeRouter, using it as a home office router, currently running the forum posted SOHO config with a static IP on the WAN side of things (Business cable connection).


I'm having issues connecting two company provided Cisco ASA 5500 boxes though the router itself to a set VoIP devices and workstations.  The device will link up, but the VPN connection will drop out at random.  Some days it will go for hours, others it cycles every few minutes.  Note I can't get at any configs on the ASA, not paid enough.  Both are IPsec devices, so i'm under the assumption there might be a config I need to provide to property allow both devices to passthough.


The ASA doesn't have the issue with the older linksys, and also doesn't have the issue with a ASUS unit that I've toyed around with.  And honestly, would rather keep the EdgeRouter.  Goes well with the 2 AP-Pros.

Thoughts?  Config can be posted, but its currently exactly the same as the SOHO config for the 5 port POE.  (eth1 for WAN, Eth0 1.1, Eth 2-4 Switch.  Same with Firewall, the default 4 rules.  Grabbed the logs as well via CLI, but nothing stood out.

Ubiquiti Employee
UBNT-Arthur
Posts: 1,321
Registered: ‎02-04-2013
Posts: 1321
Kudos: 163
Solutions: 142
Registered: 02-04-2013

Re: New EdgeRouter POE, IPsec issue

Which firmware/edgeos version is running on the edge router? Pease try 1.2.0 and above.

New Member
KenPwr
Posts: 32
Registered: ‎09-03-2013
Posts: 32
Kudos: 2
Solutions: 1
Registered: 09-03-2013

Re: New EdgeRouter POE, IPsec issue

Version 1.2.

 

Updated Firmware was the first thing I checked.

New Member
KenPwr
Posts: 32
Registered: ‎09-03-2013
Posts: 32
Kudos: 2
Solutions: 1
Registered: 09-03-2013

Re: New EdgeRouter POE, IPsec issue

[ Edited ]

EDIT:  You can think of what I'm doing like this.

FM WPN.jpg

Current Config.

 

firewall {
all-ping enable
broadcast-ping disable
conntrack-expect-table-size 4096
conntrack-hash-size 4096
conntrack-table-size 32768
conntrack-tcp-loose enable
group {
network-group BOGONS {
description "Invalid WAN networks"
network 10.0.0.0/8
network 100.64.0.0/10
network 127.0.0.0/8
network 169.254.0.0/16
network 172.16.0.0/12
network 192.0.0.0/24
network 192.0.2.0/24
network 192.168.0.0/16
network 198.18.0.0/15
network 198.51.100.0/24
network 203.0.113.0/24
network 224.0.0.0/3
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name LAN_IN {
default-action accept
description "Wired network to other networks."
}
name LAN_LOCAL {
default-action accept
description "Wired network to router."
}
name WAN_IN {
default-action drop
description "Internet to internal networks"
enable-default-log
rule 1 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 3 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
}
name WAN_LOCAL {
default-action drop
description "Internet to router"
enable-default-log
rule 1 {
action accept
description "allow established/related"
log disable
state {
established enable
related enable
}
}
rule 2 {
action drop
description "drop invalid"
log enable
state {
invalid enable
}
}
rule 3 {
action drop
description "drop BOGON source"
log enable
protocol all
source {
group {
network-group BOGONS
}
}
}
rule 4 {
action accept
description "rate limit ICMP 50/m"
limit {
burst 1
rate 50/minute
}
log enable
protocol icmp
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 192.168.1.1/24
description LAN
duplex auto
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address *Vendor IP here*/30
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
}
ethernet eth2 {
duplex auto
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
address 192.168.2.1/24
firewall {
in {
name LAN_IN
}
local {
name LAN_LOCAL
}
}
switch-port {
interface eth2
interface eth3
interface eth4
}
}
}
service {
dhcp-server {
disabled false
shared-network-name switch {
authoritative enable
description switch
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
ntp-server 192.168.2.1
start 192.168.2.10 {
stop 192.168.2.254
}
time-server 192.168.2.1
}
}
shared-network-name wired-eth0 {
authoritative enable
description "Wired Network - Eth0"
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 192.168.1.1
lease 86400
ntp-server 192.168.1.1
start 192.168.1.10 {
stop 192.168.1.254
}
time-server 192.168.1.1
}
}
}
dns {
forwarding {
cache-size 150
listen-on eth0
listen-on eth1
listen-on switch0
system
}
}
gui {
https-port 443
listen-address 192.168.1.1
listen-address 192.168.2.1
}
nat {
rule 5010 {
description "WAN MASQ"
log disable
outbound-interface eth1
protocol all
type masquerade
}
}
ssh {
listen-address 192.168.1.1
listen-address 192.168.2.1
port 22
protocol-version v2
}
upnp {
listen-on eth0 {
outbound-interface eth1
}
listen-on switch0 {
outbound-interface eth1
}
}
}
system {
gateway-address *Vendor IP here*
host-name ubnt-CBG
ipv6 {
disable
}
login {
banner {
post-login "Welcome to EdgeMAX"
pre-login "\n\n\t UNAUTHORIZED USE OF THE SYSTEM\n\n\t IS PROHIBITED
! \n\n "
}
user ubnt {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 24.196.64.53
name-server 68.155.71.53
name-server 24.178.162.3
name-server 8.8.8.8
name-server 8.8.4.4
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
package {
repository squeeze {
components "main contrib non-free"
distribution squeeze
password ****************
url http://ftp.us.debian.org/debian/
username ""
}
repository squeeze-updates {
components "main contrib"
distribution squeeze/updates
password ****************
url http://security.debian.org/
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}

Reply