17.0.8 MR8 is out... Hundreds of "VPN Down" logs in just an evening ... Imagine how many I received since 17.0.8 was installed.

Hello Brian

DH14 and AES 192 are minimalistic to say the least ...

Our case have been pushed to Sophos' development last week.  They collected hours of logs.  They also asked us to swap VPN initiator/listener.  Also ask us to reduce key length and encryption bits.  Not much news since then.  It did not help in the end.  Still hundreds od VPN falls down.

Paul Jr

Follow up.

Sophos is asking me to run the command "no ip redirects" on our Cisco Gateway router ...  This commands applies to Cisco routers running IOS for what I know.  I may be wrong, however, "Help" command on the telnet interface do not list this as available commands.  There is very little command available anyway.  Only a few.  I tried to disable "IP Redirects" on the GUI interface, but found nothing to do so.

Paul Jr

Follow up. Latest communications with Sophos Support:

Hello

I have no answers to that.  And no technical knowledge to investigate it deeply.

205.237.70.201 is a Netopia device owned by the ISP (I have no access to it)  that is using the same set up on thousands of their devices.  A Mikrotik (VoIP) router is also connected to that same router with no issue.

Also, these “VPN Down” problems escalated with MR8.  They were also present on earlier V16.  They did not exist on MR6 or MR7.

Also,

We have other VPN connected sporadically.  Teamviewer being one of them.  Without issues.  No matter what is the status of Sophos’ VPN, all other VPNs I can think of works.

Checkpoint firewalls have no problem with it.

Mikrotik firewalls have no problem with it.

PFSense firewalls has no problem either.

And I’m told by the ISP Netopias’ setup is standard and minimal on thousands of routers for almost a decade and have proven to be stable since then, and they will not modify it.  No matter what.

The difficulty will be to find an ISP compatible with Sophos.

Paul Jr Robitaille

From: Sophos Support [mailto:support@sophos.com]
Sent: June 7, 2018 13:28
To: Paul Jr Robitaille
Subject: RE: [#8109783] VPN issue with XG firewall.

Hello Paul,
Can you please explain to me why 
12:07:40.188309 Port2, IN:  In 00:a6:ca:6e:69:74 ethertype IPv4 (0x0800), length 152: 205.237.70.201 > 205.237.70.202: ICMP redirect 207.134.161.10 to host 205.237.70.202, length 116
12:07:41.450510 Port2, IN:  In 00:a6:ca:6e:69:74 ethertype IPv4 (0x0800), length 152: 205.237.70.201 > 205.237.70.202: ICMP redirect 207.134.161.10 to host 205.237.70.202, length 116
The gateway 205.237.70.201 is sending the ICMP Redirect  207.134.161.10 to 205.237.70.202 . 
Once we have the answer to this then I can inform you the plan .

Well,  It is getting clear they have no clue.  Can anyone here can explain how a PING redirect could be so fatal to Sophos' VPN ? (Because it is not fatal to all other VPNs.)

Paul Jr

Follow up.  Technical support keep asking me questions about it but would not investigate much.  I am an end user.  I have to go by deduction since I am not technical to a point I could make sens of what is going just by looking at packets. Again ...

We have other VPN connected sporadically.  Teamviewer being one of them.  Without issues.  No matter what is the status of Sophos’ VPN, all other VPNs I can think of works.

Checkpoint firewalls have no problem with it.

Mikrotik firewalls have no problem with it.

PFSense firewalls has no problem either.

And I’m told by the ISP Netopias’ setup is standard and minimal on thousands of routers for almost a decade and have proven to be stable since then, and they will not modify it.  No matter what.

Sophos technical support is totaly helpless at debugging their own product.

XG should have never been released to market.

Paul Jr

Hi Paul ,

We understand your fustration . I would recommending to share the logs with your ISP if they could check on their end why the re-directs occurs. 

They saw it.  Their point is this router setup is standard and no matter what, they will not do a different setup for a single customer.

What I have proposed is Sophos makes our VoIP settings so we could at least eliminate all Mikrotik routers and Cisco Routers.  The only one router remaining would be that Netopedia at a single end.

Sophos' technical support point is just a theory.  I wonder why I have to dis-prove that theory.  It is not impossible that I may be wrong, but when all other devices on the planet works ....

Paul Jr

at this point i would kindly ask sophos to take their product back or let you switch over to UTM licence, at least VPN works there :-)

I had an agreement in written with Sophos a year ago to return those equipments.  A year ago.  With their Montreal salesman, Mr. Tony Leggio.  But when I decided to engage that option, they began to negate what is clearly written on the P.O.  I am stuck with Sophos since I do not have resources, time, or budget to move over something else.  I won't send lawyers after them for a $20,000 invoice ...  I am at a point I believe it is Sophos' business model to behave as such.

XG is dead and toasted.  Sophos has clearly insufficient resources to put that boat back afloat.  If you navigated this forum for more than a year, first thing you are noticing is that very competent mates have gone and do not post anymore.  They left.  VPNs and just about anyform of filtering, WEB or Mail, have been in serious problems for years now.  Other vendors would have programmed something like XG within that time period.

My vendor, GoSecure in Montreal, is equally unaccountable and negates and/or is helpless with the same amount of efforts.

It is hopeless. I have been screwed by people I put my trust in.  That's it.

XG 17.1.0 GA installed.

One full hour without a VPN down.  This has not happened in months.  

Paul Jr

One "VPN down" per hour so far with V17.1.0Ga.  Far less than every 4 minutes with MR8.