This article provides some tips to help troubleshoot VPN connections that frequently disconnect.
1. Make sure the WAN connection is stable
Since VPN tunnels are established through the Internet connection, it requires a stable WAN connection. Unstable WAN connections will result in VPN tunnels. To check if the WAN connection is stable, go to Online Status page and check the Up Time of both VPN Routers’ WAN interfaces. This will confirm if this is the cause of the problem.
2. Enable “Always On” for Dial-out profiles (VPN clients)
For LAN-to-LAN profiles, the Idle Timeout is set to 300 seconds by default. This means the router will disconnect the VPN connection if no traffic is detected over the VPN connection for 300 seconds. If you don’t want the VPN to be disconnected, select “Always on” for the Dial-out profiles.
3. Set “Idle Timeout” to 0 for Dial-in profiles (VPN server)
Similarly, if you don’t want the VPN server to disconnect the VPN tunnel when not traffic is detected, set “Idle Timeout” to 0.
4. Disable “PING to Keep Alive”
“Ping to Keep Alive” option is using ping to detect if the IPsec connection is alive or not. If the Ping Target IP is not responding Ping, IPsec VPN connection will drop every 60 seconds. Since most Vigor Routers support Dead Peer Detection (DPD) to detect IPsec connection, it is recommended NOT to enable the Ping to Keep Alive option if you are having VPN disconnecting problem.
5. Check if the IKE Key Lifetime setting is the same on both VPN routers
If the IPsec VPN disconnects on a certain interval, e.g. 1 hour, the disconnection may be due to an IPsec Re-key failure. An IPsec Re-key failure could be caused by the mismatched Key Lifetime setting on both VPN routers. Please use the same key lifetime setting on Vigor Router and the remote VPN server. If the disconnection still occurs at the key renew time, we may configure the lifetime to a shorter one for a try.
If none of the above steps improve the VPN connection stability, please provide the following information for further analysis:
- Remote Access to both Vigor Routers: Enable “Allow management from the Internet” and provide both Vigor Router’s WAN IP, HTTP Port and Login Password for our technical support to access your router.
- The Syslog on both Vigor Routers until the VPN disconnection occurs.