Message Timeout - Alternating IP

NDaV

Good morning

Before I make a fool of myself and rip the ISP a new one, has anyone seen this behavior? BOVPN phase 1 failure. Remote end (configured as dynamic) initiates the connection, but it appears in the time between starting the connection and the phase 1 negotiation completing, the remote end IP changes. It's always the two addresses alternating.

Remote end is on a HFC NBN (cgnat?) connection. Sometimes it all works fine and the tunnel will be up for a few days, but at the moment it's been down for a week.

Has anyone seen this behavior?

james.carson

If you have two gateway endpoints set up in the phase 1 settings, the firewall will go down the list and repeat if the previous one is not reachable.

Message retry timeout suggests the remote side is not responding. If the remote side is CGNAT'ed, you'll likely need that side to initiate the tunnel, since you won't necessarily be able to reach out to it directly.

NDaV

@james.carson said:
If you have two gateway endpoints set up in the phase 1 settings, the firewall will go down the list and repeat if the previous one is not reachable.

Message retry timeout suggests the remote side is not responding. If the remote side is CGNAT'ed, you'll likely need that side to initiate the tunnel, since you won't necessarily be able to reach out to it directly.

Thanks James

Only one gateway endpoint setup in the config on both devices and the remote end is setup as dynamic (Any) so it is the one that initiates the connection not the central office firebox.

This is why I'm finding this is so weird - our central office firebox is being given two different IP addresses for the remote firebox, which comes from the remote ISP (both the IP addresses belong to the ISP at the remote end). Feels to me like an aggregator/load balancer has shat its pants.

james.carson

@NDaV My best suggestion would be to create a support case so that one of our technicians can look at your firewall and give you a more concrete answer.