Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 29 subscribers
  • Views 5302 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

17.0.8 MR8 is out... But now VPNs goes down hundreds of time a day, instead of many times.

Big_Buck

VPN was going down many times a day ... Since 17.0.8 MR8, it is down hundreds of time a day.

It is getting worse.  

Below are pictures showing simultaneous pings taken at different time today from one VPN to the remote VPN.

10.29.x.x is a local subnet, different from where I ping.

10.30.1.1 is the local firewall.

205.237.70.202 is its WAN address.

207.134.161.10 is its destination remote firewall. 10.31.1.1 is the remote firewall internal address.

Keep in mind this.

At all time during the day with Teamviewer, I could access any desktop from any local subnet to any remote VPN subnet. No matter what you will see below. Teamviewer VPNs works all of the time.

I was able to ping all Firewalls WAN addresses at any time from the internet.

Only our VPNs is down.

Why Sophos can't do VPN while all other suppliers can ?

 

 

 



This thread was automatically locked due to age.
  • 0

    Hi Big_Buck ,

    Thank you for the XG Feedback.

    Request to share the  details:

    • IPsec connection and Policy configuration.
    • /log/charon.log /log/strongswan.log

    Regards,

    Deepti

  • 0

    We had very similar issues with MR6.  The routers were getting stuck in bit of hell because both sides were trying to imitate the tunnel at the same time.

    The resolution was to reconfigure all of our IPsec tunnels so that one side is set to initiate and the other side is set to respond only.  DPD must be configured as well.   With help from support, we were able to get this fixed and very stable.  Here are the changes:

     

    Initiate (always set on the smaller site since it is more resource intensive)

    Phase I:
    Randomize Re-Keying Margin by: 50%
    DH Group 14 & 16 Only
    Encryption AES192
    Auth: SHA2 256

     

    Phase II:
    DH Group 14 only
    Encryption: AES192
    Auth: SHA2 256

    DPD:
    When Peer Unreachable: Re-initiate

     

    On the Re-initiate policy, just change DPD to Disconnect.

     

    On the initiator side, Set the gateway type to Initiate the connection.  On the Responder side, set it to Respond only.  I have 23 tunnels so there 529 connections to modify.  Luckily our vendor assisted and took care of most in a few hours.

     

     

     

  • 0 in reply to BrianH

    Thanks for the input ...