Not happy to report VPN went down again on MR-8

I will add,  that we've got another site that has been running MR-8 for the same amount of time and has not had an issue as of yet. 

I just found out that the other side of the VPN (Cisco) that had the failure this morning is set to initiate and Respond (Sophos at remote office is set to do the same thing), so perhaps that is part of the issue.   

The site that is working on MR-8 without issues so far is set to Respond only(on the cisco side at HQ).  So perhaps setting the cisco side to "Respond" will resolve it at the problem site.  I think in the Cisco world you can set both ends to initiate and respond,  maybe that can't be done with different equipment on both sides perhaps.

-Scott

I will add,  that we've got another site that has been running MR-8 for the same amount of time and has not had an issue as of yet. 

I just found out that the other side of the VPN (Cisco) that had the failure this morning is set to initiate and Respond (Sophos at remote office is set to do the same thing), so perhaps that is part of the issue.   

The site that is working on MR-8 without issues so far is set to Respond only(on the cisco side at HQ).  So perhaps setting the cisco side to "Respond" will resolve it at the problem site.  I think in the Cisco world you can set both ends to initiate and respond,  maybe that can't be done with different equipment on both sides perhaps.

-Scott

Hi Scott,

Sorry to hear about the continued issue you have been experiencing. Would it be possible to please PM me with your support case number so that I can follow up.

Thanks!

The more I think about these issues, the more I think it is a routing problem.  That have been lasting for 14 months in a row.  Question like this, do you happen to have many subnets behind those firewalls ?  I think XG is screwed up when routing with VPN more than anything else.  In our cases, some subnets falls down altogether with the VPN.  And all of this time, I can monitor it from home with a Teamviewer session.  When the VPN goes back, so are fallen subnets.  I wonder if the boss at Sophos would himself be able to work with falling VPNs 16 month in a row ...

Hi Scott,

after reviewing the log file you provided to support, it seems that the Cisco is coming in, establishing a new IKE SA (#12 in the log), instead of rekeying the existing one (#10), but then only negotiates one of nine child SAs (look for "parsed QUICK_MODE request" lines).

Please review the configuration and logs on the Cisco device. It should definitely initiate negotiations of all tunnels.
Maybe establishing a new IKE instead of rekeying it was unintended (however it should still negotiate all child SAs).

Hope that helps resolving you issues.

Regards
Heiko

Thanks Heiko,

Just so I am understanding you correctly (knowing that the Cisco is at our HeadQuarters and Sophos is at remote site)

" It should definitely initiate negotiations of all tunnels."

Are you telling me that I should have the Cisco initiate the VPN connection and that I should be setting the Sophos VPN's GateWay Type to "Respond Only" ?? (also..what do I set DPD to in the policy then? (reinitiate-/hold/disconnect?) 

Thanks,

-Scott

Sorry for not being precise. It's completely fine for the Cisco to respond only, but when it is initiating it should initiate all tunnels, not just 1/9.

Ok,  I got ya.  Thanks for the clarification.  So for the time being I'm going to have our Sophos's do the initiation at the remote sites and have the Cisco set to respond only. Sounds like the safest option.

-Scott