Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 29 subscribers
  • Views 13386 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v17.1.0 GA - IPSEC VPN constantly terminates and establish

des villar

Hi Sophos,

Device: Sophos XG310
Firmware ver : v17.1.0 GA

 

I've come from firmware version v16.5 mr8 upgraded manually to version v17.1.0 GA.. i've rebuilt all IPSEC VPN profiles and tunnels from scratch since v17 uses different vpn daemon.

I've successfully established connections with the other end, but i've noticed in the SYSTEM LOGS that every 2 mins the tunnel keeps terminating and establishing.

 

From my observation this happens when there is no traffic going in or out in that tunnel, but once i've ran ICMP/PING the logs behaves naturally, there are no termination and establishment going on, but again when the tunnel comes to idle it starts poping it out again, this concerns me that my SYSTEM LOGS will be filled with that unnecessary logs.

 

i've also tried changing my dead peer detection to 900 seconds to see if this affects, but it didn't the interval was still 2 minutes apart

 

is this a normal type of behavior for the new vpn daemon? i didn't experience it from v16.5 mr8.. with or without traffic the VPN will only terminate and establish when it was supposed to.

Regards,
Desmond



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FloSupport

    the VPN tunnels are connected to different firewall brands(cisco asa, sonicwall, fortinet, mikrotik), as far as i know in there end they don't have idle time out setting the other end also is set to RESPOND ONLY.

    based on my observation the side which terminates the connection is the sophos side, im gonna try to disable dead peer detection to verify if that has something connected to that behavior

  • 0 in reply to FloSupport

    TO ADD:

    i tried disabling dead peer detection and it still persist.

     

    upon checking the advanced menu of the tunnel i found the disconnect idle setting set to 120 seconds the button seems uncheck but you can't enable or disable the checkbox you can't even change the value, when i hover my mouse button to the checkbox the icon changes to a circle with line icon which means i cannot edit

  • 0 in reply to des villar

    Hey  

    The reason you are unable to change this, is because the default IPsec policies cannot be modified. However, they can be cloned to be modified.

    Are you able to investigate the log entries in your /log/charon.log and /log/strongswan.log when this issue occurs?

    Regards,

  • 0 in reply to FloSupport

    yup i have checked the charon and strongwan logs, and i can't seem to see any problem. i can't see a termination and establishment in the logs, i can see only successful packet being sent across the tunnel

     

    i'm not using default ipsec policies either, i made a custom ipsec policy, i've also tried to duplicated it and try to use it into the IPSEC tunnel but i still can't change the checkbox and the time entry is still disabled..

  • 0 in reply to des villar

    My apologies - edited for correction: Information below for idle session timeout setting is applicable for IPsec remote access policy - not for Site-to-Site. 

    You should be able to change the idle session time interval by enabling it first and then changing the value. However this value should not affect you as the entire setting is disabled. But try changing the value to 60 seconds (instead of 120), disabling the entire setting, and observing if you still experience this issue differently but every 1 minute rather than two.

    By the symptoms you are describing:

    • "this happens when there is no traffic going in or out in that tunnel, but once i've ran ICMP/PING the logs behaves naturally, there are no termination and establishment going on, but again when the tunnel comes to idle it starts poping it out again, this concerns me that my SYSTEM LOGS will be filled with that unnecessary logs.

    Are all of your IPsec VPN tunnels behaving like this? Or only a few? It would definitely seem like an idle timeout setting (possibly from the remote site?)

  • 0 in reply to FloSupport

    yes it was on all of my vpn tunnels, and it is connected to different brands of firewall..

     

    i should be able, but thats the problem, in this new firmware i wasn't able to do so, coz whenever i hover the mouse button on the checkbox to enable it the cursor turns to a red circle that looks like a NOT sign or STOP sign which make it un-clickable so i can't enable the checkbox that will allow me to change the value.

     

    i've also tried it with the vpn tunnel active and inactive state, tried different custom made ipsec profiles and connections

  • 0 in reply to des villar

    Read this :

    In the end, we have removed any devices that could have had an interaction with Sophos XG.  I wish I had the time to retest with a Cisco IOS router...

    Paul JR

  • 0 in reply to des villar

    The disconnect idle setting is for IPSec remote access connection types and not site-to-site, therefore this should not be a culprit.

    I would suggest opening a support ticket if there is direct impact to performance as a result of these logging events.

  • 0 in reply to FHF

    To add to what  mentioned:

    My apologies regarding the aforementioned idle session timeout setting, this was my mistake as I was viewing a IPsec remote session policy on my XG.

    Please raise a support case and PM me with your case number for follow up.