This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site-to-Site dropping every hour

Hi All,

We have just gone live with our new XG firewall. One issue we are having is with IPSec Site-to-Site VPN's. Every hour, we get two email notifications to say the vpn has gone down and then back up straight away. However, none of our users experience drop outs and the logs do not show the VPN going down. Is there a way to stop the VPN from dropping every hour?

Edit: I should say that we have three IPSec VPN's and each are connecting to Draytek Vigor firewalls.

Thanks in advance

This thread was automatically locked due to age.

0 Jaydeep over 6 years ago

Hi LJR

Do you also observe the IPSec connection drop in IPSec logs? Or on the Peer device?
Cancel
Vote Up 0 Vote Down

Cancel
0 LJR over 6 years ago in reply to Jaydeep

Hi Jaydeep

I checked the IPSec logs in the console and have found these results:

2019-09-23 15:38:19 09[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4E1F2793) from other side
2019-09-23 15:38:20 19[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (4E1F2793) from other side
2019-09-23 15:44:43 26[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9629D77E) from other side
2019-09-23 15:44:43 21[DMN] [GARNER-LOGGING] (child_alert) ALERT: received IKE message with invalid SPI (9629D77E) from other side

The Drayktek routers show no logs of the connection dropping.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaydeep over 6 years ago in reply to LJR

I'd suggest checking the IPSec configuration and timeouts on both sides for this error. And while we're here, I'd also suggest referring this article Sophos XG Firewall: IPsec troubleshooting and most common errors for this and any other IPSec related errors.

Please check if the configuration parameters match on both sides.
Cancel
Vote Up 0 Vote Down

Cancel