Thread Info
  • State Not Answered
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 32 replies
  • Subscribers 40 subscribers
  • Views 128652 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

17.0.8 MR8 is out... Hundreds of "VPN Down" logs in just an evening ... Imagine how many I received since 17.0.8 was installed.

Big_Buck

For those who asked, our VPN setup is the result of the intervention of 2 seniors engineers at Sophos, Boston.  I normally need no help to setup a IKEv2 VPN. I was doing it with no sweat on any firewall more than a decade ago.



This thread was automatically locked due to age.
  • 0

    Ok.  Some news. To resume things up:

    We have two XG firewalls connected with a permanent VPN.

    Main site “QC” has an XG firewall (appliance) connected to our ISP’s Netopedia router which is connected to our ISP’s Optic Fiber Converter. We do own only XG, having no access to the converter or the router.  Also connected to the Netopedia router, is a Mikrotik firewall, for others purposes.  XG takes care of 4 out of 5 available valid addresses. (8 valid addresses in all).  The Mikrotik has one valid address.

    Remote site “AA” has an XG firewall (appliance) connected to our Cisco router which is connected to our ISP’s Optic Fiber Converter. We have access to both XG and Cisco router.  Also connected to our Cisco router, is a Mikrotik firewall for others purposes.

    Sophos’ support theory is that ICMP redirecting causes DPD (dead peer detection) to fail.  This leads to our VPN falling very often.  It makes sense, at least partially.  I write “partially” because some SOPHOS’ support has disabled DPD previously.  This should have consequently stopped VPN from falling, no ?  Also, that behaviour did not matter on any other firewall I have installed previously. Up to the last intervention from Sophos, I was asked to investigate on our main site’s Netopia router in QC.  Sophos’ tech was commenting our ISP’s router (Netopedia), but he actually meant the Cisco in AA.  I toasted many hours over that confusion trying to reach competent resources at Telus in QC since Telus are much like a government.  I had a response from Telus they would not change their setup, no matter what, but in the end that was irrelevant.  Investigating ICMP redirect for Cisco, I found it was very easy on Cisco’s IOS to disabled it, but I did not find any way to turn it off on our Cisco router which does not run IOS.

    Since we do not know why the cisco router was redirecting ICMPs,  and no mean to disable icmp redirection on that particular Cisco device,  I had the idea to decommission all equipment I could, and let XG do most task. Counter intuitive since I had so many problems with that device.

    Sophos support has setup XG’s networking in such a way that our "AA" ISP’s transport address (WAN) was set on our XG’s Wan interface, and that all 8 valid addresses assigned to us were set in alias on that same interface.  In other words, the router's WAN is now on XG.  Whatever was connected to the Mikrotik firewall was then moved to one available port on the XG with its own valid IP address.

     

    Dam it. That "work around" works.  I could not care less not knowing why that Cisco router was so mortal to XG’s VPN.

     

    Some DPD reading here: https://www.juniper.net/documentation/en_US/junos/topics/concept/ipsec-dead-peer-detection-understanding.html 

  • 0 in reply to Big_Buck

    After 3 days, we had few VPN down. Only four instance yesterday. So nothing to write to my mother.  Besides, it might as well have been caused by something else like a short interuption from the ISP.

    We have put the VPN back to standard IKEv2, which means DH31 group is back as well, among other things.

    I have now to recommission our XG105s, update them, and see if their VPN behaves properly now.