Flexy 201 no traffic

flexy
configuration

#1

Good morning,

We have a problem with the Flexy eWONs.

To sum up:

Connection to eFive25_1 (firmware 1.1.1): no problem, regardless of series

Connection to eFive25_2 (firmware 1.1.1): no problem for 4xxx Cds. For Flexy, the eFive can see the device coming (the connection goes from “down” to “up” on the web interface), but no traffic passes until the eFive has been restarted (while all the other tunnels are operational).

Concretely, since only Flexy are affected by this dysfunction, I don’t see what element on our network could be problematic: connections to eFive 2 go through the same routes and enable the same rules on firewalls, regardless of the eWon model.

Since these eFives are in production, we cannot carry out too many tests without penalizing the operation of our units.

Thank you in advance,
Cordially.


No traffic with flexy
#2

Good morning,

We have a big problem with eWON flexy 201 for several months.

To sum up:

We actually have 2 eFive.

Connection to eFive 1 (firmware 1.1.0 & 1.1.1): no problem, whatever the series
Connection to eFive 2 (firmware 1.1.1): no problem for 4xxx Cds. For Flexy, the eFive can see the device coming (the connection goes from “down” to “up” on the web interface), but no traffic passes until the eFive has been restarted (while all the other tunnels are operational).

Concretely, since only Flexy are affected by this dysfunction, I don’t see what element on our network could be problematic: connections to eFive 2 go through the same routes and enable the same rules on firewalls, regardless of the eWon model.

I had updated the last firmware 13.0 on flexy 201, but the problem was still present. I will try the latest firmware released to date, so the 14.0PR.

Thanks for your help,

Cordially


#3

Hi @davidc,

eFive 1 has both firmwares installed?

How many clients are connected to each server? How Many of those are Flexys and are they all 201s? Are they all on the same firmware?

Do you have a Flexy with firmware 11.2 or lower you can test?

We will need to see the logs from the Flexy and the server in order to diagnose this problem. Please make backups of the Flexys using eBuddy and check “Include Support files” box. You can attach those to your response.

Thank you,

Kyle


#5

Hello,

Sorry, I was wrong eFive 1 has 1.1.0 firmware and eFive 2 1.1.1.

Since eFive 2 is in production, we cannot carry out too many tests without penalizing the operation of our units. I will be able to use eFive 1 to make test.

eFive 1 = 0 client connected
eFive 2 = 10 out of 31 clients connected

We no longer use Flexy in production since the appearance of the problem and whatever firmware version or flexy model. It was exactly the same problem.

Ok, I will send later logs from Flexy and the server eFive 1. Actually my Flexy 201 for the test has firmware 13.0, is it possible to downgrade firmware with eBuddy tool ?

Thank you.


#6

Hi @davidc,

Here are the firmware downgrade instructions:

And the webpage is here: https://websupport.ewon.biz/support/product/downgrade/downgrade

The firmware download page is here: https://websupport.ewon.biz/support/product/manual-firmware-update/manual-firmware-download

The P-Code is the last 2 digits of the serial number. (Flexy 201 is always 21)

I would recommend trying firmware 11.2s2.

Kyle


#8

Hello,

I tried to download the firmware P-21 11.2s2, but it is impossible to choose the language “FR”. It stay blocked on “MA” language on the following link :

https://websupport.ewon.biz/support/product/manual-firmware-update/manual-firmware-download

Where can I export/download the eFive server logs? In the Logs section, Logs Summary -> Export?

I will have to wait until tomorrow to be able to access today’s logs.

I can send you logs from my eWon Flexy 201 for now with 14.0(PR) firmware.

MOVED TO STAFF NOTE (376 KB)

Thank you.
Regards,


#10

The “MA” firmware should include all the languages.

Logs are in /var/log .

I will check this backup for now.

Thanks,

Kyle


#11

Hello, thank you for your answer,

I will provide connection logs on between the eWon flexy 201 (account vpn : plateforme_test) and the eFive2 server.

I used a SSH connection to get all files from /var/log. I send you logs /var/log from server eFive 2.

The eWon flexy201 trying to connect to eFive 2 is plateforme_test.

I will show you some screenshot.

The eFive can see the device coming (the connection goes from “down” to “up” on the web interface)

But in Flexy201 Web Interface, VPN connection between the eWon Flexy 201 and the server eFive 2 failed.

In “Connexion VPN” It shows is it not configured and it doesn’t have an IP.

I can ping all others VPN IP but i cannot ping plateforme_test vpn ip (192.168.102.3).

But If I restart OpenVPN server from server eFive 2 it’s working, I can ping plateforme_test vpn IP (192.168.102.3) and i can see VPN connection and IP on flexy 201 interface.

Have a nice day.

Regards,


#13

Browsing these logs I found a possible DHCP problem. Is it possible that there aren’t enough available dynamic addresses on the VPN 192.168.102.0 network?

Oct  2 10:23:23 efiveUMT openvpn[28459]: 212.194.197.1:49173 Re-using SSL/TLS context
Oct  2 10:23:23 efiveUMT openvpn[28459]: 212.194.197.1:49173 LZO compression initialized
Oct  2 10:23:23 efiveUMT openvpn[28459]: 212.194.197.1:49173 [plateforme_test] Peer  Connection Initiated with 212.194.197.1:49173 (via 192.168.102.254)
Oct  2 10:23:23 efiveUMT openvpn: CONNECT plateforme_test 192.168.102.3 212.194.197.1
Oct  2 10:23:25 efiveUMT dnsmasq-dhcp[1359]: DHCPDISCOVER(br0) 00:ff:a0:3a:7a:86 no address available
Oct  2 10:23:28 efiveUMT dnsmasq-dhcp[1359]: DHCPDISCOVER(br0) 00:ff:a0:3a:7a:86 no address available
Oct  2 10:23:31 efiveUMT dnsmasq-dhcp[1359]: DHCPDISCOVER(br0) 00:ff:a0:3a:7a:86 no address available
Oct  2 10:23:38 efiveUMT dnsmasq-dhcp[1359]: DHCPDISCOVER(br0) 00:ff:a0:3a:7a:86 no address available
Oct  2 10:23:54 efiveUMT dnsmasq-dhcp[1359]: DHCPDISCOVER(br0) 00:ff:a0:3a:7a:86 no address available

The FLexy logs had a lot of connection errors and because of that only covered about a period of 70 minutes. Was it disconnected from the internet prior to you taking the bakcup?

1570097935	03/10/2019 10:18:55.422	VPN	80 write UDPv4 []: Network is unreachable (code=101) 
1570097985	03/10/2019 10:19:45.431	VPN	120 ERROR: Linux route add command failed: shell command exited with error status: 1 
1570097985	03/10/2019 10:19:45.436	VPN	123 route: SIOCADDRT: Network is unreachable 

Is it possible to use Tcp instead of Udp?

Some other errors indicate a possible error in the openvpn config file:

1570097985	03/10/2019 10:19:45.459	VPN	142 Options error: Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:9: push-continuation (2.0.9) 
1570098674	03/10/2019 10:31:14.373	VPN	208 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. 
1570099758	03/10/2019 10:49:18.759	VPN	330 RESOLVE: Cannot parse IP address: 176.157.19 

Can you verify that file matches the other devices?


#14

In the basic settings of Openvpn, there are at least 200 addresses available. This is strange

Dynamic IP pool start address : 192.168.102.1
Dynamic IP pool end address : 192.168.102.200

Yes, the Flexy was disconnected from the internet when I did the backup.

I will try to change later Tcp instead of Udp.

It is not necessary to take into account this address (176.157.19), I typed it accidently when connecting VPN.

I did multiple tests yesterday on eFive1 and I managed to connect with the Flexy201 in VPN with public address IP (176.157.195.60) on the eFive 1.

I send you the logs.

Flexy 201 FW : 14.0 PR
eFive Server 1 FW : 1.1.1


#16

Thank you for these. I will go over them. I do have a couple of questions for now:

  1. This Flexy appears to have a weak cellular signal. Do you have the logs from the other Flexys that are also having this problem? How many others have the problem?

  2. Does the Flexy reconnect if it is power cycled or does it have to be the eFive?


#17
  1. Right now, it’s the only Flexy 201 I have, but I’ll see if I can get some more flexy to do the test and get logs. We have about 4 or 5 flexy that are no longer used in production

  2. The flexy automatically reconnects if the VPN connection is switched off or restarts with eWon 201 settings, no need to restart eFive.


#18

Thank you. I spent some time going over the logs and settings and I have some more questions.

When you say this:

What do you mean by “VPN connection is switched off or restarts with eWon 201 settings”? I was wondering if the OpenVPN server needed to restart, or if restarting the Flexy also worked to bring it back online (with the production e Five server).

Just to confirm, you got the Flexy working with the test eFive server?

I think that in order to solve this, we are going to need the Flexy logs when the connection problem is happening with the production server. Also, the re-connection, after OpenVPN restarts, should be logged on both the Flexy and eFive. The first Flexy logs I got last week were filled with Modbus IO server and network connection errors which used up all the log space.

Also, is the Flexy using NTP? Can you confirm the date and time is correct on the device.


#19

On the production eFive server 2, I have to restart OpenVPN server, just restarting the Flexy doesn’t bring it back online.

Yes, i got it working with the test eFive Server 1.

I did the test as you said with eFive Server 2 in production, you can find Flexy201 and eFive 2 logs.

Yes, I manually checked the time and date between Flexy201 and both eFive server, it matches.

Thank your for your help.


#21

Thank you for these. Looking at the Flexy there is a period of about 90 minutes where it is connected here:

You can also see it in the server logs:

It shows connected to the server, but is absent in the routing table which makes me think that this could be a routing problem.

There are also a number of VPN errors regarding routing:

But since all the other devices work, and even this one works after restarting OpenVPN service, it indicates an issue with the device. I noticed that you are in France, so I am going to send this to our associates at eWON HQ over in Belgium so they can have a look.

I haven’t yet gone through all of the server logs. Also, I would also like to compare a backup from one of your working devices to see if there are differences in the config. You could try doing a factory reset on the Flexy and starting from scratch as well.

Kyle


#22

Thank your for your reply.

I tried several firmware on the eWon flexy 201 such as 11.2s2 12 13 and 14.

We still have the same problem for eFive2, Is it possible to recover the configuration of an eWon by connecting to its web interface? without going through eBuddy ?

I did twice a factory reset level 2 on the Flexy and started from scratch as well for the configuration and connection of vpn but still not working.

Yes, i got contacted by a French support this morning on the phone, but they also have trouble understanding what might be the problem with eWon Flexy.

Yes, It could be a routing problem, but why it’s only happening with Flexy. It’s strange and when we restart OpenVPN server the routing problem is solved and eWon Flexy get a VPN ip and we can ping it.

Have a nice week-end.

Regards.


#23

No, the only way to create a backup and restore it is by using the eBuddy software. You can use FTP if you want to copy individual files.

If the French distributor cannot help you, they will escalate the issue to Belgium, which is the eWON HQ where the developers and highest level of support is. They are your best resource for getting the problem fixed.

Kyle


#25

Hello,

The French distributor couldn’t help me. I got a mail about a new case created with the title “eFive routing problem with Flexy 201” but when I click on the link bellow I can’t get acces to the URL.

Here is the reference : https://mysupport.hms.se/edit-case-support/?id=731a9078-8deb-e911-a812-000d3a6546b8

I tried to sign in with my account to view the case but It’s not working. I even tried to reset my password but I never received an mail, also checked spam.

Thank you for your help.

Have a nice day


#26

I will let Simon in Belgium know and he will best be able to help you.

You can access your cases by going to https://mysupport.hms.se and logging in with your email and password. You can reset your password if you need to.