RT-AC88U VPN IPSec Passthrough issue

[Cristi Cotet]

We use a RT-AC88U router as an internet gateway with one public IP and multiple internal hosts.
We have a Centos 7.4 Virtual Machine that connects to an external VPN server using IPsec.
The VPN connection drops about 6-12 times a day and cannot reconnect even if we restart the Virtual Machine.
If we reboot the router the VPN works again. This is why we belive the problem is with the Asus router.

VPN Status:
000 #1403: "connection-name-removed":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_v1_RETRANSMIT in 24s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
1403: pending Phase 2 for "connection-name-removed" replacing #0
At the other end there is a Juniper SRX240. From Juniper Log + documentation the problem seems to be invalid Pre Shared Key but the PSK is not changed. Only rebooting the Asus Router resolved the issue so we belive the Asus router starts to change the packets is such a way that the other end can't decode them any more and the reported error is with the PSK.

We think there is a correlation between internet connection going down for a second and coming back up and VPN issue.
If we don't reboot Asus router the VPN connection cannot be established even after 24 hours.

 

[OzarkEdge]

The VPN connection drops about 6-12 times a day and cannot reconnect even if we restart the Virtual Machine.

We think there is a correlation between internet connection going down for a second and coming back up and VPN issue.
If we don't reboot Asus router the VPN connection cannot be established even after 24 hours.

Are you saying there is an Internet connection instability problem separate from the router/VPN not recovering?

OE

 

[Cristi Cotet]

Are you saying there is an Internet connection instability problem separate from the router/VPN not recovering?

OE

We are not 100% sure but we think this is the trigger. A few times happened that at least one colleague reported brief internet connection issue (eg: one page load error) exactly before the VPN connection drops on the Virtual Machine. Personally I always have SSH sessions opened (via putty) but they are not affected by the brief internet connection issue.
99% of the traffic is directly routed to the internet..only a few computers have a static route for one IP range to go through Virtual Machine and therefor through VPN to access a clients internal servers.

 

[OzarkEdge]

I asked the question to clarify your original statement, and you did. I don't think I can offer any pointed help other than to wonder if the VPN issue is a symptom of another problem relating to the Internet connection... and that it could be as mundane as dodgy interconnects/cabling. If you are losing connectivity 6-12 times a day, that would be the first problem to address, imo... if only to keep the users happy.

There must be a log somewhere to confirm Internet up time...

OE

 

[Cristi Cotet]

Well.. even if there is a temporary connection issue (there is definitely not a permanent connection issue) I'm expecting the VPN connection to be reestablished. "ipsec restart" does nothing, Virtual Machine reboot does nothing... something bad happens on the router that block any future attempt to start the VPN connection. I've logged in on router/ssh and checked iptables before and after the issue happened. There is no change. I wanted to try to restart various services maybe I find the one causing the problem but didn't succeeded (I don't know what command to run and the one's I've found doesn't seem to work).
Firmware is official. Latest version: 3.0.0.4.384_20379-gc0714df