Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 4922 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN Drops perminantly on WAN IP Change

Stephen Wratten

Hi Guys,

Strange issue.   I have a spoke site connecting to a head office. 

The head office is a static IP, but the spoke site is on ADSL with dynamic IP and a ADSL modem.  I'm not able to bridge it so the Sophos sits behind this ADSL modem which is doing NAT. 

VPN works fine and comes up, however, when the ADSL IP address gets renewed with something else the VPN drops. 

Before it was a cisco 800 on this ADSL site and it worked fine with IP address changes, now i have the sophos it drops when the ADSL IP is renewed. 

The only way i can fix this is to reboot the sophos!  even if i go into the IPSec VPN settings and untick the active check box.. save... then re tick it and hit save.. it cant connect. 

When i check, the logs on head office Palo Alto show the remote device is trying to connect. When i check the logs on the Sophos i see "peer did not respond" and "IKE message [xxx] retransmission timed out"

is there something i need to tick or do for Sophos's sitting behind NAT on a dynamic ADSL service?

 

 

 

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Have you already updated the firmware to MR6?

  • 0 in reply to Jelle

    looks like a IPSec bug in the XG Appliance to do with authentication. 

    when the Sophos creates a VPN to the head office side it authenticates with it.  But when the ADSL modem IP address changes which drops the VPN, the sophos just tries to connect back to head office without actually re authenticating again. 

    Because of this, the head office firewall logs show it  is ignoring the reuqests as its unauthenticated payload, as it doesnt recognise it now its coming from behind another IP address. This is why the Sophos wont re establish the VPN no matter how hard you try..  because the Sophos never tries to authenticate again, it just assumes its already authetnicated and reports there is no reply coming back from head office which is correct behaviour from head office from an unauthenticated device. 

    Then as soon as you reboot the sophos, BAM,  it comes straight back up, as the sophos then Authenticates again first. 

    Suprised I am the first to stumble on this bug??

Reply
  • 0 in reply to Jelle

    looks like a IPSec bug in the XG Appliance to do with authentication. 

    when the Sophos creates a VPN to the head office side it authenticates with it.  But when the ADSL modem IP address changes which drops the VPN, the sophos just tries to connect back to head office without actually re authenticating again. 

    Because of this, the head office firewall logs show it  is ignoring the reuqests as its unauthenticated payload, as it doesnt recognise it now its coming from behind another IP address. This is why the Sophos wont re establish the VPN no matter how hard you try..  because the Sophos never tries to authenticate again, it just assumes its already authetnicated and reports there is no reply coming back from head office which is correct behaviour from head office from an unauthenticated device. 

    Then as soon as you reboot the sophos, BAM,  it comes straight back up, as the sophos then Authenticates again first. 

    Suprised I am the first to stumble on this bug??

Children
No Data