Hi All,

I run two of these, latest firmware (actually quite old firmware, 2016) at two sites.

Both on the same BT exchange, ADSL.

Dec 2017 both started rebooting, a few times per day. Most people would not notice the disconnect and ADSL re-negotiation (takes 120 secs) but on one site I get SMS notifications so it is noticed each time Plus we have a 3G backup there (A&A ISP) so we notice the 3G bills if it doesn't renegotiate quickly

Different ISPs (A&A for one, and ZEN and later Voda for the other). Similar reboot frequency. Interestingly, often but not that often, both routers reboot within minutes of each other. Yet their IPs are very different (different ISPs). Only the A&A IPs are publicly visible via DNS. The Voda one (just 1) is not DNSd.

Reboots spread through the day but I feel more of them happen in the evening/night.

The router configs are fairly basic, with both running a web server on a subnet, and some other stuff. Different configs. Both installations have been the same config for years.

I have, on both, for years had some IPSEC & PPTP VPNs configured (site-site and teleworker) identically. Also SSL VPN but it was never really used, due to the SSL client complications (have to start up a browser).

At some point, MIGHT have been Dec 2017, I set up an L2TP/IPSEC VPN instead of the PPTP, for "better compatibility" It worked... also disabled the SSL VPN.

At some point the rebooting became a hassle. BT were involved and found some stuff on the copper wires, fixed that, and later did a "lift and shift" in the exchange (meaning: swap the copper to another pair). No change. But obviously the router should never just reboot; this must be a bug.

I disabled all the DOS protection stuff - it isn't suitable anyway for ADSL which is easily saturated via the much faster downlink. It is also difficult and potentially dodgy code, with all the various concurrent timers etc. No change.

Draytek entered into some comms, and after a load of boilerplate stuff like "reset to factory config and re-enter everything by hand" (which would be an admission of truly bad software!) asked for

telnet 192.168.1.1
Where 192.168.1.1 is the IP address of the router.
Then type this command
sys ver dbg

and that returns this



Rest in Part 2, due to the 3000 byte post size limit!

PART 2:

> sys ver dbg
Router Model: Vigor2955 Version: v3.3.2.1 English
Profile version: 3.0.0 Status: 1 (0x837bfdf1)
Router IP: 192.168.1.1 Netmask: 255.255.255.0
Firmware Build Date/Time: Thu Dec 22 9:25:31.21 2016
Revision: 61450 2950FW

---

firmware exception debug info

---

CodeAddr=0x0018a5a0, DataAddr=0x011e29d8, Data=0x47455420,
Task=0x0000003d
system tick =349084; Status:2 (0:Undefined 1:Prefetch 2:Abort)
CURRENT_VERSION : v3.3.2.1_
get from address : 0x03f00000

which should definitely mean something pretty specific to whoever wrote the code (I am a programmer too, assembler and C) but Draytek never commented further. I assume they don't want to fix firmware frozen in 2016.


Then I disabled the L2TP teleworker VPN and it has stopped!

My theory is that some Chinese hackers are doing this, and hopefully succeeding only in rebooting it. (We did not suffer from the widely publicised DNS IP hack - I checked that, plus Draytek "sort of" imply the 2955 is not vulnerable).

If this is a real fix, I wonder what teleworker VPN I should try which works with

- winXP
- win10
- android 5
- android 7

All these clients worked with PPTP but some public wifi networks block that. I have a port 443 VPN (Softether) for problems like that (terminator is on a unix server somewhere) and it works brill, but that didn't pass through PPTP.

And specifically android 5 does not work with L2TP at all AFAICT but I accepted that as not worth the hassle.

Alternatively, and I believe the 2955 firewall is right at the front, on the WAN interface, could there be a simple fix? Obviously if it was a hacker and his IP was fixed then I could just block that, haha

Thank you all for reading this far.

In case, you've not seen it, there's a guide (to solving all your problems) here: https://www.draytek.co.uk/support/guides/kb-troubleshoot-reboot

Moving swiftly on ...

Some thoughts ...

• Sometimes, Draytek Routers do just get themselves in a knot. I configured and a tested a 2830n, took it to a remote site, made the simplest of config. changes to match its new location ... and the damned thing just booted and crashed and booted and crashed repeatedly. I ended up having to Factory Reset it and enter everything from scratch :x While I was about it, I added a scheduled reboot, in case it ever hung. Of course the only time it has ever hung, is while doing that scheduled reboot


• Have you contemplated saving the config., loading the .RST version of the latest firmare and then re-loading the config. Things might just end up in different memory locations, that it's happier with .


• Syslog - might just shed some light on things. I can't see any harm in firing it off to a remote site, if necessary. The latest 2860 NAT "Open Ports" config. has a 'Source IP' field, so I don't even think you need a Firewall Rule. (Though if you start receiving ???????? you know you do :wink: )


• I don't suppose that the 2955 firmware acquired the 'Country Code' stuff, did it? Theoretically, this makes it easy to firewall off entire countries (though I'm a little sceptical).

Now to VPNs ... which I've been playing around with of late. The question is, have you disabled some troublesome function ... or a troublesome person :?:

SSL VPN's connect quickly and easily from Android (using the Draytek SmartVPN app). AFAIK, they work without issue on Android 4,5,6,7 & 8. (No need to use the Web interface). They connect extremely quickly - though the actual throughput is not great. The Windows version works OK too - though you'll probably need to dig around for an older version for the Windows XP machine(s). ( Windows XP? ... are you sure you should still be using that :wink: )

The Windows version of SmartVPN is pretty good at setting up pure IPSec 'Transport Mode'? VPNs as well - far easier than ploughing through the IPSec Policy snap-in. The main complication is figuring out a suitable DNS configuration for mobile users. (Transport Mode being the one, where you suddenly get this magical link to the remote network, without being issued with an IP from the far end. (I think!))


Now I've gone over 3000 characters

Re: L2TP/IPSec. Plenty of entertaining issues here...
My old 2830 will not allow Android clients to connect. The conversation stops before it really gets started ... I just don't think they have anything in common any more

My 2860 fairs better - though there's some oddities at work.

The Android client (at least on 8.0), uses "IPSec Main mode" by default. Draytek's documentation would have you believe that it is necessary for both ends to already know oneanother's IP addresses. It certainly is for a site-to-Site VPN. By whatever slight of hand, it does authenticate IPSec - using the 'General IPSec Pre-shared Key'.

I see an issue here - every client (including the devices you've lost,sold, had stolen etc) use the same key
Of course, the L2TP part of the conversation is authorised separately, but once they've got the IPSec SA established, maybe your average hacker won't bother with that bit...

You can force an Android client to use "Aggressive Mode" (by entering some text in the box marked 'IPSec Secret (not used)') ... but I can't get the 2860 to match it against a Dial-in User profile. Certificates work OK (at least with the 2860), but of course, there's a not inconsiderable amount of admin involved.

I tried (and failed) to get Soft Ether to connect to the Vigor. I gave in, mainly because I decided the short-comings I was trying to fix, were at the Draytek end.

My VPN experiments managed to crash the 2860 on one occasion - and at one point it was insisting all my certificates were invalid. On reboot, they were suddenly all valid again

I think my post(s) above show the sum total of my VPN expertise so my next Q is: is there some other VPN I could try?

Working on the assumption that the L2TP is indeed the issue and somebody port-sniffed it and is now banging it, Is there a "just IPSEC" one? I also don't mind trying the SSL VPN, but in the past I had to start a browser to use it, and the server then downloads an active-x or java app which then provides the "socket" at the client end. I don't understand why an SSL VPN cannot be implemented in the OS just like all the others.

What is the point of L2TP?

Any VPN port will be detectable to anybody sniffing the IP, and they will try to hack it. So it will only ever be as strong as the login credentials, surely? There is a thing called "door knocking" but I don't think any OS implements it.

I am not bothered about the shared secret, because if I stop using a phone or a tablet or a laptop, it will be carefully wiped, or destroyed. (all my android devices are rooted, of course).

The site-site IPSEC VPN does have an option for setting the caller's IP, and that helps with security, but it isn't necessary.

The 2955 has no country block.

Draytek's sudden silence suggests they have either found something (and don't want to update the firmware because they want you to buy a new box) or they suspect they know what it is but aren't going to fix it. The problem for me is that unless they own up to it, there is zero assurance a new £300 box will not have the same issue. Let's face it, most users would never notice the breaks.

Would syslog logging pick up a rogue packet which crashes and reboots the router? There must be thousands or millions of packets going through; each UDP packet is c. 1000-1500 bytes.

ALSO: two 2955 routers are doing the same thing at two different sites. This must be indicating something. Also each router has been swapped (we have spares), and the ADSL modems likewise (we have Zyxel and Draytek; no difference). I even replaced a 16 port ethernet switch with a different brand because I read that some broadcast issues from the switch were crashing Draytek routers.

The winXP thing is just a backup laptop which I sometimes carry on long trips. My normal travel laptop is win10. XP is fine; you need to keep off the p0rn websites and such, and use a properly filtered email feed (we use Messagelabs).

peter-h wrote: .. so my next Q is: is there some other VPN I could try?

OpenVPN seems popular ... but you'd have to pass it thru the 2955 (presumably) and onto a separate OpenVPN server, somewhere in your infrastructure.
See also: https://www.draytek.com/en/faq/faq-vpn/vpn.others/security-and-performance-comparison-of-vpn-types-which-vigor-router-supports

Is there a "just IPSEC" one? I also don't mind trying the SSL VPN, but in the past I had to start a browser to use it, and the server then downloads an active-x or java app which then provides the "socket" at the client end. I don't understand why an SSL VPN cannot be implemented in the OS just like all the others.

You can definitely have it connect in a 'normal' VPN manner (using Draytek's clients). Android 8.0 has IPSec/XAuth (Samsung has IKE V2). The latter will (again, presumably) be of no use with the 2955; the former, I rejected because I could only get it to work with the 'pre-shared' XAuth key. (I'm betting the 2955 doesn't do XAuth anyway)

What is the point of L2TP?

AIUI, adding L2TP stops the data being recorded and replayed...probably essential for financial transactions, but not that big a deal for the rest of us...
EDIT - and is a means of adding per-user authentication.

I am not bothered about the shared secret, because if I stop using a phone or a tablet or a laptop, it will be carefully wiped, or destroyed.

I couldn't guess the size of your 'infrastructure' ... or how many staff (and ex staff) might know that PSK

Would syslog logging pick up a rogue packet which crashes and reboots the router? There must be thousands or millions of packets going through; each UDP packet is c. 1000-1500 bytes.

The messages are at a much higher level than that. I would expect to be able to at least see the start of any VPN connection attempt.