This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall XG unstable/unreachable after VPN has been up for a while

I've got a Sophos Firewall XG running in my home lab where I've achieved the following:

All internet traffic passes trough an ipsec VPN tunnel ending in DigitalOcean VPS, except for some traffic which is filtered out using a policy-routing rule. That traffic goes out directly over the WAN port. (f.e. Netflix, which doesn't like getting traffic from the DigitalOcean IP range)

However ...

When everything seemed to work perfectly, after a while, when the VPN connection has been up for 30 minutes or so, my sophos VM becomes unstable. I'm not able to surf the internet anymore, and I'm not even able anymore to surf to the management page of Sophos, nor SSH into the Sophos VM.

I have no idea what's going wrong ... Sophos does work stable, when I disable the VPN connection. Any ideas/suggestions from your side?

Attached files:

Network topology
VPN Server @ Digital Ocean
- Strongswan ipsec.conf
- iptables
Sophos config
- Firewall - overview
  - Default WAN rule
  - VPN rule
- VPN
  - ipsec config
  - ipsec policy
- Policy routing
  - 'Skip VPN for some traffic' rule

This thread was automatically locked due to age.

0 LuCar Toni over 7 years ago
Sounds like a issue in the Kernel.

Should be fixed in MR8.

https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-8-mr8-released

NC-29043 [IPsec] CSC hangs - system becomes unresponsive

Cheers.
Cancel
Vote Up 0 Vote Down

Cancel
0 Martijn Dierckx over 7 years ago in reply to LuCar Toni

Already tried the latest firmware ... Nothing changed
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos Admin12 over 7 years ago in reply to Martijn Dierckx

i know it does not help, but i am facing the same Problems with XG330 and 17.0.8 MR-8

Any solution available yet ?
Cancel
Vote Up 0 Vote Down

Cancel
0 guillaume bottollier over 7 years ago in reply to Sophos Admin12

hi all,

you should try to update to mr17.1 mr1, it seems much more stable.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ralph Fabian over 7 years ago in reply to guillaume bottollier

sorry. But i don´t want to try. Because i am not a Betatester for Sophos.

XG is wasting my time, my money and my user satisfaction. It´s the worst product i seen so far. I have spend 180k€ for new XGs to replace my existing SG´s. But it´s not working.

Sophos should find the reason why the problems happens.

sorry again, but i am really angry.

I have an open Call at sophos. Maybe say will contact me, or Myybe not. This is the next thing.
Cancel
Vote Up 0 Vote Down

Cancel
0 guillaume bottollier over 7 years ago in reply to Ralph Fabian

i totally understand, but i can assure you that 17.1 mr1 is better than 17.0 mr8.

so you should start here, thus i am pretty sure sophos will advise you to first update your devices because ipsec wasn't stable AT ALL before 17.1
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos Admin12 over 7 years ago in reply to guillaume bottollier

We will test tomorrow evening.

Sophos has confirmed, that the problem we are facing a known bug is. And fixed with 17.1.1 MR1

i keep you updatet.
Cancel
Vote Up 0 Vote Down

Cancel