This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPNs keep logging FIVE terminate/established log entries every hour or so

I have 1 HQ firewall (XG135) and 4 branches (XG105). They all have IPSEC tunnels with the default IKEv2 setup. They are all on 17.5.3.372

Spaced about 1 hour 13 minutes apart, I get 5 established and 5 terminated IPSEC vpn tunnel log entries from a branch firewall all with the exact same timestamp. Then a few minutes later, approximately the same hour/minutes apart, I get another 5 established and 5 terminated IPSEC vpn tunnel log entries. A few of the firewalls have TWO IPSEC tunnels, and I'll get an alert on one of the tunnels, and at some point over the next hour, I'll get another alert for the other tunnel, but both don't terminate at once.

No internet outages, and no perceived downtime with the tunnels. I have 100 users all using VoIP and no-one has said a word. This has been happening since deployment 2 days ago.

I'm getting bombarded with alerts for tunnel disconnection/re-connection.

What configuration item should I be looking at? Or is this a bug?

This thread was automatically locked due to age.

Parents

0 FloSupport over 6 years ago
Hi LeetJN

Thanks for reaching out!

To start:

What firmware versions are all the firewalls on?

What IPsec policies are used?

Any relevant log outputs from your charon.log/strongswan.log during the time of disconnection/reconnection?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

0 LeetJN over 6 years ago in reply to FloSupport

1. 17.5.3 MR3

2. The Built in IKEv2 Policy

3. Here's some snippets:

Fullscreen strongswan.txt Download

2019-04-04 08:11:43 12[ENC] <Company_HQ_Data-1|66> generating INFORMATIONAL request 155 [ ]
2019-04-04 08:11:43 12[NET] <Company_HQ_Data-1|66> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (96 bytes)
2019-04-04 08:11:43 31[NET] <Company_HQ_Data-1|66> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (96 bytes)
2019-04-04 08:11:43 31[ENC] <Company_HQ_Data-1|66> parsed INFORMATIONAL response 155 [ ]
2019-04-04 08:11:59 22[IKE] <Company_HQ_Data-1|66> reauthenticating IKE_SA Company_HQ_Data-1[66]
2019-04-04 08:11:59 22[IKE] <Company_HQ_Data-1|66> initiating IKE_SA Company_HQ_Data-1[67] to HEADQUARTERS_IP
2019-04-04 08:11:59 22[ENC] <Company_HQ_Data-1|66> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2019-04-04 08:11:59 22[NET] <Company_HQ_Data-1|66> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (1482 bytes)
2019-04-04 08:11:59 24[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (242 bytes)
2019-04-04 08:11:59 24[ENC] <Company_HQ_Data-1|67> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2019-04-04 08:12:00 24[IKE] <Company_HQ_Data-1|67> authentication of '172.16.5.2' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
2019-04-04 08:12:00 24[IKE] <Company_HQ_Data-1|67> establishing CHILD_SA Company_HQ_Data-2
2019-04-04 08:12:00 24[ENC] <Company_HQ_Data-1|67> generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2019-04-04 08:12:00 24[NET] <Company_HQ_Data-1|67> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (928 bytes)
2019-04-04 08:12:00 09[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (736 bytes)
2019-04-04 08:12:00 09[ENC] <Company_HQ_Data-1|67> parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
2019-04-04 08:12:00 09[CFG] <Company_HQ_Data-1|67>   using trusted certificate "172.16.5.1"
2019-04-04 08:12:00 09[IKE] <Company_HQ_Data-1|67> authentication of '172.16.5.1' with RSA_EMSA_PKCS1_SHA2_384 successful
2019-04-04 08:12:00 09[IKE] <Company_HQ_Data-1|67> IKE_SA Company_HQ_Data-1[67] established between BRANCH_IP[172.16.5.2]...HEADQUARTERS_IP[172.16.5.1]
2019-04-04 08:12:00 09[IKE] <Company_HQ_Data-1|67> scheduling reauthentication in 4801s
2019-04-04 08:12:00 09[IKE] <Company_HQ_Data-1|67> maximum IKE_SA lifetime 5161s
2019-04-04 08:12:00 09[IKE] <Company_HQ_Data-1|67> CHILD_SA Company_HQ_Data-2{448} established with SPIs c2f8d631_i c0b715c2_o and TS 192.168.5.0/24 === 192.168.201.0/24
2019-04-04 08:12:00 09[APP] <Company_HQ_Data-1|67> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 09[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting) ref_count: 1 to 2 ++ up ++ (192.168.5.0/24#192.168.201.0/24)
2019-04-04 08:12:00 09[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 6 to 7 ++ up ++ (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 09[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) UID: 67 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 09[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2019-04-04 08:12:00 06[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 06[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 06[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.201.0/24) already set up
2019-04-04 08:12:00 09[IKE] <Company_HQ_Data-1|67> received AUTH_LIFETIME of 4685s, scheduling reauthentication in 4325s
2019-04-04 08:12:00 09[IKE] <Company_HQ_Data-1|67> establishing CHILD_SA Company_HQ_Data-6
2019-04-04 08:12:00 09[ENC] <Company_HQ_Data-1|67> generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 09[NET] <Company_HQ_Data-1|67> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (1168 bytes)
2019-04-04 08:12:00 29[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (272 bytes)
2019-04-04 08:12:00 29[ENC] <Company_HQ_Data-1|67> parsed CREATE_CHILD_SA response 2 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 29[IKE] <Company_HQ_Data-1|67> CHILD_SA Company_HQ_Data-6{449} established with SPIs c10c06b7_i c94ca234_o and TS 192.168.5.0/24 === 192.168.3.0/24
2019-04-04 08:12:00 29[APP] <Company_HQ_Data-1|67> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 29[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting) ref_count: 1 to 2 ++ up ++ (192.168.5.0/24#192.168.3.0/24)
2019-04-04 08:12:00 29[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 7 to 8 ++ up ++ (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 29[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) UID: 67 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 29[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2019-04-04 08:12:00 11[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 11[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 11[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.3.0/24) already set up
2019-04-04 08:12:00 29[IKE] <Company_HQ_Data-1|67> establishing CHILD_SA Company_HQ_Data-5
2019-04-04 08:12:00 29[ENC] <Company_HQ_Data-1|67> generating CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 29[NET] <Company_HQ_Data-1|67> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (1168 bytes)
2019-04-04 08:12:00 16[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (272 bytes)
2019-04-04 08:12:00 16[ENC] <Company_HQ_Data-1|67> parsed CREATE_CHILD_SA response 3 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 16[IKE] <Company_HQ_Data-1|67> CHILD_SA Company_HQ_Data-5{450} established with SPIs ca4d8d41_i c2af15cd_o and TS 192.168.5.0/24 === 192.168.9.0/24
2019-04-04 08:12:00 16[APP] <Company_HQ_Data-1|67> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 16[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting) ref_count: 1 to 2 ++ up ++ (192.168.5.0/24#192.168.9.0/24)
2019-04-04 08:12:00 16[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 8 to 9 ++ up ++ (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 16[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) UID: 67 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 16[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2019-04-04 08:12:00 14[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 14[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.9.0/24) already set up
2019-04-04 08:12:00 16[IKE] <Company_HQ_Data-1|67> establishing CHILD_SA Company_HQ_Data-3
2019-04-04 08:12:00 16[ENC] <Company_HQ_Data-1|67> generating CREATE_CHILD_SA request 4 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 16[NET] <Company_HQ_Data-1|67> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (1168 bytes)
2019-04-04 08:12:00 07[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (272 bytes)
2019-04-04 08:12:00 07[ENC] <Company_HQ_Data-1|67> parsed CREATE_CHILD_SA response 4 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 07[IKE] <Company_HQ_Data-1|67> CHILD_SA Company_HQ_Data-3{451} established with SPIs ca7212bd_i c4e85288_o and TS 192.168.5.0/24 === 192.168.1.0/24
2019-04-04 08:12:00 07[APP] <Company_HQ_Data-1|67> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 07[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting) ref_count: 1 to 2 ++ up ++ (192.168.5.0/24#192.168.1.0/24)
2019-04-04 08:12:00 07[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 9 to 10 ++ up ++ (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 07[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) UID: 67 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 07[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2019-04-04 08:12:00 12[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 12[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 12[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.1.0/24) already set up
2019-04-04 08:12:00 07[IKE] <Company_HQ_Data-1|67> establishing CHILD_SA Company_HQ_Data-1
2019-04-04 08:12:00 07[ENC] <Company_HQ_Data-1|67> generating CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 07[NET] <Company_HQ_Data-1|67> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (1168 bytes)
2019-04-04 08:12:00 31[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (272 bytes)
2019-04-04 08:12:00 31[ENC] <Company_HQ_Data-1|67> parsed CREATE_CHILD_SA response 5 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 31[IKE] <Company_HQ_Data-1|67> CHILD_SA Company_HQ_Data-1{452} established with SPIs cf038334_i c8e0861d_o and TS 192.168.5.0/24 === 192.168.7.0/24
2019-04-04 08:12:00 31[APP] <Company_HQ_Data-1|67> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 31[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting) ref_count: 1 to 2 ++ up ++ (192.168.5.0/24#192.168.7.0/24)
2019-04-04 08:12:00 31[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 10 to 11 ++ up ++ (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 31[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) UID: 67 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 31[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2019-04-04 08:12:00 19[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 19[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 19[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.7.0/24) already set up
2019-04-04 08:12:00 31[IKE] <Company_HQ_Data-1|67> establishing CHILD_SA Company_HQ_Data-4
2019-04-04 08:12:00 31[ENC] <Company_HQ_Data-1|67> generating CREATE_CHILD_SA request 6 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 31[NET] <Company_HQ_Data-1|67> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (1168 bytes)
2019-04-04 08:12:00 18[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (272 bytes)
2019-04-04 08:12:00 18[ENC] <Company_HQ_Data-1|67> parsed CREATE_CHILD_SA response 6 [ SA No KE TSi TSr ]
2019-04-04 08:12:00 18[IKE] <Company_HQ_Data-1|67> CHILD_SA Company_HQ_Data-4{453} established with SPIs c5db6266_i cdffea92_o and TS 192.168.5.0/24 === 192.168.2.0/24
2019-04-04 08:12:00 18[APP] <Company_HQ_Data-1|67> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 18[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting) ref_count: 1 to 2 ++ up ++ (192.168.5.0/24#192.168.2.0/24)
2019-04-04 08:12:00 18[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 11 to 12 ++ up ++ (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 18[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) UID: 67 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 18[APP] <Company_HQ_Data-1|67> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' up-client
2019-04-04 08:12:00 27[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 27[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 27[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.2.0/24) already set up
2019-04-04 08:12:00 15[IKE] <Company_HQ_Data-1|66> deleting IKE_SA Company_HQ_Data-1[66] between BRANCH_IP[172.16.5.2]...HEADQUARTERS_IP[172.16.5.1]
2019-04-04 08:12:00 15[IKE] <Company_HQ_Data-1|66> sending DELETE for IKE_SA Company_HQ_Data-1[66]
2019-04-04 08:12:00 15[ENC] <Company_HQ_Data-1|66> generating INFORMATIONAL request 156 [ D ]
2019-04-04 08:12:00 15[IKE] <Company_HQ_Data-1|66> sending DELETE for IKE_SA Company_HQ_Data-1[66]
2019-04-04 08:12:00 15[ENC] <Company_HQ_Data-1|66> generating INFORMATIONAL request 156 [ D ]
2019-04-04 08:12:00 15[NET] <Company_HQ_Data-1|66> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (96 bytes)
2019-04-04 08:12:00 18[IKE] <Company_HQ_Data-1|67> verifying peer certificate
2019-04-04 08:12:00 18[CFG] <Company_HQ_Data-1|67>   using trusted certificate "172.16.5.1"
2019-04-04 08:12:00 18[IKE] <Company_HQ_Data-1|67> peer certificate successfully verified
2019-04-04 08:12:00 23[NET] <Company_HQ_Data-1|66> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (96 bytes)
2019-04-04 08:12:00 23[ENC] <Company_HQ_Data-1|66> parsed INFORMATIONAL response 156 [ ]
2019-04-04 08:12:00 23[IKE] <Company_HQ_Data-1|66> IKE_SA deleted
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting) ref_count: 2 to 1 -- down -- (192.168.5.0/24#192.168.201.0/24)
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 12 to 11 -- down -- (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) UID: 66 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-client
2019-04-04 08:12:00 17[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:00 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:00 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.201.0/24) already set up
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting) ref_count: 2 to 1 -- down -- (192.168.5.0/24#192.168.3.0/24)
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 11 to 10 -- down -- (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) UID: 66 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-client
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting) ref_count: 2 to 1 -- down -- (192.168.5.0/24#192.168.9.0/24)
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 10 to 9 -- down -- (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) UID: 66 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:00 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-client
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting) ref_count: 2 to 1 -- down -- (192.168.5.0/24#192.168.1.0/24)
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 9 to 8 -- down -- (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) UID: 66 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-client
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting) ref_count: 2 to 1 -- down -- (192.168.5.0/24#192.168.7.0/24)
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 8 to 7 -- down -- (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) UID: 66 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-client
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [SSO] (sso_invoke_once) SSO is disabled.
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting) ref_count: 2 to 1 -- down -- (192.168.5.0/24#192.168.2.0/24)
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (ref_counting_remote) ref_count_remote: 7 to 6 -- down -- (BRANCH_IP#HEADQUARTERS_IP)
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) UID: 66 Net: Local BRANCH_IP Remote HEADQUARTERS_IP Connection: Company_HQ_Data Fullname: Company_HQ_Data-1
2019-04-04 08:12:01 23[APP] <Company_HQ_Data-1|66> [COP-UPDOWN] (cop_updown_invoke_once) Tunnel: User '' Peer-IP '' my-IP '' down-client
2019-04-04 08:12:01 17[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.3.0/24) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.9.0/24) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.1.0/24) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.7.0/24) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN][DB] (db_conn_info) hostname: 'Company_HQ_Data' result --> id: '1', mode: 'ntn', tunnel_type: '0', subnet_family:'0'
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec IKE for remotes (BRANCH_IP to HEADQUARTERS_IP) already set up
2019-04-04 08:12:01 17[APP] [COP-UPDOWN] (do_cop_updown_invoke_once) !!SKIP!! IPsec SA for subnet (192.168.5.0/24 to 192.168.2.0/24) already set up
2019-04-04 08:12:30 13[IKE] <Company_HQ_Data-1|67> sending DPD request
2019-04-04 08:12:30 13[ENC] <Company_HQ_Data-1|67> generating INFORMATIONAL request 7 [ ]
2019-04-04 08:12:30 13[NET] <Company_HQ_Data-1|67> sending packet: from BRANCH_IP[500] to HEADQUARTERS_IP[500] (96 bytes)
2019-04-04 08:12:30 30[NET] <Company_HQ_Data-1|67> received packet: from HEADQUARTERS_IP[500] to BRANCH_IP[500] (96 bytes)
2019-04-04 08:12:30 30[ENC] <Company_HQ_Data-1|67> parsed INFORMATIONAL response 7 [ ]

Here's what my system log shows me:

Fullscreen System.txt Download

SYSTEM
2019-04-04 08:12:01
IPSec
Terminated
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP terminated. (Remote: HQ_IP)
17802
SYSTEM
2019-04-04 08:12:01
IPSec
Terminated
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP terminated. (Remote: HQ_IP)
17802
SYSTEM
2019-04-04 08:12:01
IPSec
Terminated
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP terminated. (Remote: HQ_IP)
17802
SYSTEM
2019-04-04 08:12:01
IPSec
Terminated
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP terminated. (Remote: HQ_IP)
17802
SYSTEM
2019-04-04 08:12:01
IPSec
Terminated
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP terminated. (Remote: HQ_IP)
17802
SYSTEM
2019-04-04 08:12:00
IPSec
Terminated
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP terminated. (Remote: HQ_IP)
17802
SYSTEM
2019-04-04 08:12:00
IPSec
Established
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP established. (Remote: HQ_IP)
17801
SYSTEM
2019-04-04 08:12:00
IPSec
Established
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP established. (Remote: HQ_IP)
17801
SYSTEM
2019-04-04 08:12:00
IPSec
Established
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP established. (Remote: HQ_IP)
17801
SYSTEM
2019-04-04 08:12:00
IPSec
Established
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP established. (Remote: HQ_IP)
17801
SYSTEM
2019-04-04 08:12:00
IPSec
Established
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP established. (Remote: HQ_IP)
17801
SYSTEM
2019-04-04 08:12:00
IPSec
Established
Company_HQ_Data-1 - IPSec Connection Company_HQ_Data-1 between HQ_IP and BRANCH_IP established. (Remote: HQ_IP)
17801

And the Charon.log looks to be identical to my strongswan.log

+2 FloSupport over 6 years ago in reply to FloSupport

Hi Community,

To follow up regarding LeeThomas the fix for this (NR-1989) has since been released and has resolved the issue.

Apologies for any inconveniences caused.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaroslav Faldik over 6 years ago in reply to FloSupport

Hello,

I think I have a similar problem between XG210 and Teltonika RUTX09 modems.

Can you tell me how I can fix this problem? Sorry, I don't understand what mean "fix for this (NR-1989) has since been released and has resolved the issue". Do exist some a patch?

Thanks.
Cancel
Vote Up 0 Vote Down

Cancel
0 bz351 over 6 years ago in reply to FloSupport

How was this released? I am also seeing something like this.

what is Sophos description on NR-1989 is there a link to all the current bugs we can see.
Cancel
Vote Up 0 Vote Down

Cancel
0 LeetJN over 6 years ago in reply to bz351

The bugfix was released to the cloud version of Sophos Central Admin Firewall Management. I no longer receive hundreds of alerts a day saying my IPSEC tunnel disconnected (when it was just rekeying, not actually disconnecting).

Now, I do receive several alerts a day saying a firewall disconnected from Sophos Central Admin (without internet loss), but I'll open another forum post/support case for that when I get some time.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaroslav Faldik over 6 years ago in reply to LeetJN

I see!

Are alerts of IPSec terminated/established still present in Sophos firewall log? Was only receiving suppressed in Sophos Central?
Cancel
Vote Up 0 Vote Down

Cancel
0 LeetJN over 6 years ago in reply to Jaroslav Faldik

Yes, no change to the local firewall logs (although I agree they should have fixed it/differentiated it here too).
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 6 years ago in reply to LeetJN
Hi LeetJN

The firewall disconnected message is related to the following issue:

Advisory: Sophos Central - Some customers are receiving false positive XG Firewall connection alerts

Related advisory post on the community
Cancel
Vote Up 0 Vote Down

Cancel
0 Daniel Canty over 5 years ago in reply to FloSupport

Hi,

I am having the same issue where we receive up/down notifications when re-keying.

The firmware version is SFOS 17.5.7 MR-7 but happened on SFOS 17.5.6 MR-6 too.

Can you please elaborate on "the fix for this (NR-1989) has since been released and has resolved the issue."

Which version of firmware is the fix in?

Dan
Cancel
Vote Up 0 Vote Down

Cancel
0 LeeThomas over 5 years ago in reply to Daniel Canty

Over the last couple of days, I've seen some increasing of these failures on SFOS 17.5.8 MR-8
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 5 years ago in reply to Daniel Canty

Hi Daniel Canty

This issue (NR-1989) was related to notifications received from Sophos Central (related to the Firewall Management feature), not related to any alerts received directly from the Firewall.

Are you experiencing similar notifications from Sophos Central?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FloSupport over 5 years ago in reply to Daniel Canty

Hi Daniel Canty

This issue (NR-1989) was related to notifications received from Sophos Central (related to the Firewall Management feature), not related to any alerts received directly from the Firewall.

Are you experiencing similar notifications from Sophos Central?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Daniel Canty over 5 years ago in reply to FloSupport

Hi FloSupport,

Yes we receive notifications the connection is down and another email saying it is back up immediately after, every 90 minutes (phase 1 key life).

This if from the XG itself System > Administration > Notification settings > Email Notification > IPsec tunnel up/down > enable

We didn't always receive the notifications and haven't change any settings on the firewall itself.

I had a ticket with Sophos but the advice was to increase the key life, this would reduce the notifications but not resolve the problem.

So we are in a but caught in the middle. Do you disable the notifications and never be alerted when there is a genuine issue or receive so many spam notifications that no is paying attention to them any more and thus are irrelevant due to over saturation.
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 5 years ago in reply to Daniel Canty

Thanks for following up.

I understand, sorry for the inconvenience. Let me follow up with the team regarding your feedback about this behavior. Would it also be possible to PM me with your support case number?

Regards,
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaroslav Faldik over 5 years ago in reply to Daniel Canty

I have the same problem since May. The only solution the Sophos was to suppress messages at Central Sophos, but the cause was not solved Period of interruption corresponds with Phase 1 lifetime. What version of IKE do you use? I use IKEv2 with Teltonika RUTX09 modems. Even the latest firmware of RUTX09 (v2.00.2) with upgraded to strongSwan v5.8.0 does not solve this problem.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaroslav Faldik over 5 years ago in reply to Jaroslav Faldik

UPDATE: After switch the same IPSec tunnels configurations to IKEv1, the problem with terminated/established connection has disappeared. So far I stay on IKEv1.
Cancel
Vote Up 0 Vote Down

Cancel
0 David Commencal over 5 years ago in reply to Jaroslav Faldik

I folks!

Any update for this? Still having the same error coming?

This is something that I really don´t want to do, some down the IKE to v1.

Regards!
Cancel
Vote Up 0 Vote Down

Cancel
0 LeeThomas over 5 years ago in reply to David Commencal

We are still getting this multiple times a day!
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaroslav Faldik over 5 years ago in reply to LeeThomas

Try switching to IKEv1.
Cancel
Vote Up 0 Vote Down

Cancel