The lights are on but no one is at home SITE-SITE VPN

DesertSweeper

Tunnel was running fine for many months and then suddenly stopped working with the results below. Deleted and rebuilt manually and then again using the wizards on each appliance. Always comes back to the same problem:

Network A is TZ350 and Network B is NSA2700

IPSec VPN tunnel green.

Hosts in Network A cannot ping anything in Network B, not even the GW, but the TZ in A itself can ping any host in Network B successfully.

Hosts in Network B cannot ping hosts in Network A but they CAN ping the gateway in network B. And the NSA in Network B can ping the inside gateway of the TZ in Network A but no hosts inside the network.

The NSA in Network B logs:

"IKE Initiator: Start Quick Mode (Phase 2)."

Then:

“IKE negotiation aborted due to Timeout”

But yet the tunnel is established and green

The TZ in Network A logs:

“IKE Initiator: Start Quick Mode (Phase 2) IKE Initiator: Start Quick Mode (Phase 2)”

And then:

“IKE negotiation aborted due to Timeout”

But yet the tunnel is established and green

What gives? It was working. It stopped and nothing can get it back up again

blue

did your ISP have a maintenance update right before the problem?, ours are known to take out one of our sites when they do there changes lol

BWC

@DesertSweeper ist there Double NAT involved in this scenario? I'am facing this issue a lot when there is a router in front of the SNWL. I never had the chance to figure out the final reason for that.

Sometimes it helps to restart one side, but not always.

—Michael@BWC

DesertSweeper

Yup it seems the ISP is somehow filtering the traffic - perhaps shaping. Others report issues with the ISp. Just so strange that the tunnel is established and that some traffic selectively passes. They are apparently trying to force customers to pay more for unfiltered managed connections