WR21 cannot negotiate IPSec on PPP1


WR21 setup according to AN41.
Here is the problem.
Telco Fiber optic router plugged into Eth0. Its not working so the router switches to PPP1, the PPP1 link comes up. I can ping my VPN res-ponder via the “executing command”.
The Cisco debug shows ZERO traffic from the Digi…but the Digi is convinced that it has negotiated an IKE SA but IPSec never comes up. NEVER. It times out and tries again and round-round it goes.

The SOLUTION is to unplug the Fiber optic router Ethernet cable.
As long as the Fiber router is NOT plugged in, when the Digi puts the Eth0 default route out of service, the IPSec comes up on PPP1 no problem.

If that Fiber router Ethernet is connected, even if the route gets put OOS eventually, it WILL not negotiate an IPSec tunnel.

So, WHAT is going on here? Its not supposed to work like that.


Is this a FW bug?


Hi John,

thanks for your request.
It’s a bit hard to give some advice without seeing configurations and logs/ike trace in different cases.

My suggestion would be to please send an email to tech.support@digi.com with all the details, as:

-IMEI of the WR21

With this email, a case will be opened and we can do a sanity check on the config and have a look at logs, but please also review our support options, as VPN troubleshooting is limited on Base level and would require an Expert contract if deep troubleshooting is needed.


Digi Technical Support

Hi Anny:

Thank you for the response. We are investigating as to whether it has something to do with floating grounds at the site. We tested this in the work shop before deployment with an ADSL router and it worked fine, with Fiber in the field at several sites we’re getting what I described above. I have seen situation before where the Ethernet does strange and even damaging things if there is not a common ground between two equipment chassis so we’re going to follow that up.