11-03-2018 09:12 PM
I've had a ticket open with Ubiquiti support for 44 days now and have not had a single response from their top tier support (was escellated over 20 days ago) so I figured I'd come here and see if maybe someone in the community can help.
We have 6 USG Pro's, all with tunnels to each other. Starting around the end of September, I think after we upgraded them all to the newest firmware (126.96.36.19924212), the gateways will drop the tunnel when they re-key. I can watch this happen, and have provided Ubiquitit support with videos of pings failing in one window while tail -f the log and as soon as the tunnel I'm pinging across starts the re-key process the ping drops. It then takes 90-180 seconds for the tunnel to re-establish and the pings to resume.
The one thing that the 2nd tier support had me try was to change to IKE2, but that didn't make any difference, still drops. We also swapped one of the units with a brand new USG Pro (our spare) and it still happens after that swap.
Is any one else having this problem?
Any one have any ideas on what I can do to try and fix this?
11-08-2018 02:16 PM
I have the EXACT SAME problem.
I have two USG 3P units with their own cloudkeys, and I use them exclusively for Cisco Videoconferencing between the two locations and a 3rd site (another company).
Originally - sometime in september, maybe a little earlier, I noticed the conferencing just flat out stopped working between the Codec's behind the USGs, but worked if dialing directly to a room or CODEC at the other company.
I swore they changed something on their end... the original configuration routed all videoconference traffic to the other company and back out to our remote site.
After weeks of troubleshooting, I decided to bring up a VPN directly to our remote site (the 2nd USG3P). It worked!... sorta.
I've learned a lot (in the last 4 weeks) about dilaing into the USG via Putty, and now i know that every 42min (exactly) its rekeying. When it rekeys, the tunnel goes down for about 3min... comes back up, and has 39min left before rekeying.
I was escalated to 2nd tier support... ive given them logs from the USG shell.
Last week, the tunnel would usually show correctly, for example:
192.168.10.224/28 == 192.168.10.241/28
Today, all it ever shows is:
0.0.0.0/0 == 0.0.0.0/0
Oddly enough, the tunnel still works for 42min (minus 3 during rekeying) at a time.
11-08-2018 04:34 PM - edited 11-08-2018 04:37 PM
I have been experiencing VPN issues too, the interruptions in traffic I did not know were due to rekeying so today I learned something. But I also have the issue that at least one of my sites (5 in total) will have site-2-site VPN go down for no apparent reason once every 15 days or so. Today was one such day, I connected to the USG on both sites and both reported tunnel up with show vpn ipsec status, but no traffic would get through.
Rebooting one of the USGs was enough to restore it. Sooooo frustrating!
It is just sad that such basic features are so problematic. Site-2-site for me is a painpoint for the entire period I have been running with Unifi and I have seen zero progress in the last year. Not on their priority list, but I just do not understand why.
11-09-2018 07:04 AM - edited 11-09-2018 07:05 AM
I think the problem is related to the upgrade to Strongswan 5. There must be some bug in Ubiquiti's implementation of strongswan.
@UbiquitiCome on, give us some help!
I have this same issue...
I have a USG Pro 4P with IPSEC to two USG's which I am seeing the tunnel dropping almost every hour for about 1 min. Then comes back.
Ping across VPN is lost.
Ping to WAN is fine during the time of VPN drop.
Opened a ticket with support as well, this is quite an annoying problem for users trying to work remotely with this VPN.
Its been a few weeks and support never got back to me. I couldn't wait as we used this VPN strictly for Cisco Videoconferencing between our two locations, and we have meetings every month. Saves several people a 2hr drive to attend the meeting, plus increasing safety by avoiding multiple long drives.
I started by switching my local side over to a Cisco Meraki MX64. (I use these for our main VPN anyway)... after switching just my local side out, the remote side USG no longer seemed to have the rekeying issue.
So, either the problem was generated by software/hardware on my local side, or simply having two USG's establish the connection is causing the problem.
Now, I did REPLACE my USG on the local side a few weeks ago (problem continued) so i'm leaning towards it being caused by either two USG's on both ends of the VPN, or something else from ubiquity causing the issue... possibly the Cloud Key?
I never swapped cloud keys.