Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 38 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 104022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

v17 MR5: VPN still unstable!

twister5800

Hi,

 

I Upgraded to MR5 yesterday, all went great, suddenly this evening, tunnels start dropping up and down, and I am being "spammed" with notifications from my SFM that tunnels are terminated.

charon.log shows a lot of theese:

invalid ID_V1 payload length, decryption failed?                                

I have Read here:
Sophos XG Firewall: Cannot handle more than 2 concurrent Quick Mode exchanges per IKE_SA when using IKEv1

That there are issues in MR5, that will be resolved in MR6, but theese errors should read:
"invalid HASH_V1 payload length, decryption failed?"
as stated in the KB above.

I have 4 tunnels on my XG.

Are others seeing this?

A little more log:
2018-01-29 19:54:58 10[ENC] <622> invalid ID_V1 payload length, decryption fail 
ed?                                                                             
2018-01-29 19:54:58 10[ENC] <622> could not decrypt payloads                    
2018-01-29 19:54:58 10[IKE] <622> message parsing failed                        
2018-01-29 19:54:58 10[ENC] <622> generating INFORMATIONAL_V1 request 158523599 
 [ HASH N(PLD_MAL) ]                                                            
2018-01-29 19:54:58 10[NET] <622> sending packet: from x.x.x.x[500] to 5.1 
03.12.171[500] (76 bytes)                                                       
2018-01-29 19:54:58 10[IKE] <622> ID_PROT request with message ID 0 processing  
failed                                                                          
2018-01-29 19:54:58 10[DMN] <622> [GARNER-LOGGING] (child_alert) ALERT: parsing 
 IKE message from x.x.x.x[500] failed                                      
2018-01-29 19:54:58 19[JOB] <622> deleting half open IKE_SA with x.x.x.x a 
fter timeout                                                                    
2018-01-29 19:54:58 19[DMN] <622> [GARNER-LOGGING] (child_alert) ALERT: IKE_SA  
timed out before it could be established                                        
All tunnels are unstable during this, yesterday with MR3, it worked great for weeks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi All,

    If you are facing issues due to a matching condition as mentioned in the KBA here: https://community.sophos.com/kb/en-us/128175 then please be assured that it will be fixed in MR 6 release. As stated in the KB article, this is not a Sophos specific issue but it is observed due to a strong swan implementation. 

    If you are facing a different problem then what is stated in the referred KB article then please let us know. 

    Thanks

  • 0 in reply to sachingurung

    I've been using your XG firewalls for just a month now.  I have XG-XG at 3 locations. Had to rebuild my first implementation because unknown to me the firmware that was installed already had faulty IPSEC.  It's been a damn headache ever since.  I lose at least one site a week, random reboots on one, one site doesn't re-establish the tunnel after internet loss. One RED device that randomly stops sending traffic.  Even after 17 5.  You guys have your stuff together over there or did I make a terrible decision switching to Sophos? My last firewalls never had to be rebooted and fought with this much. 

  • 0 in reply to Nick Fritzler

    Hi Nick,

    If you have a case logged in support then please PM me the ID and I will take a look to investigate further.

    Thanks

Reply Children
No Data