Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 4517 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN dropped after an hour of connection with Cisco 800

Suliman

Hello Sophos Nerds 

 

I recently configure a XG125  with (SFOS 17.5.9 MR-9) version as a replacement of X firewall ,

Every thing great but i have a trouble in a IPsec VPN connection with Cisco 800 Router 

>>>>>
The Connection lost ( or Dropped ) after minutes "approx 30-60" from success connection established.

The Configuration of XG Firewall as : 

 

 

 

 

The Configuration of Cisco 800 Router as follows : 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key zzz-psk address xxx.x.xx.xxx
!
!
crypto ipsec transform-set zzz-transformset esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map zzz 10 ipsec-isakmp
set peer xxx.x.xx.xxx
set transform-set zzz-transformset
match address 110 

 

No solutions by searching Google .

Can Any one give a suggestion 

Thanks in Advance 

 

Best Regards 

Suliman  



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Suliman,

    Can you check what is the Gateway type selected on IPsec connection profile? Is it respond only or initiate the connection? You can also find the reason for the disconnect if you put strongswan service in debug and find log entry that matches the time of the issue. 

    Thanks,

  • 0 in reply to FormerMember

    Hi Patel 

    Thanks for your responded , regarding the Gateway Type its respond only .

  • 0 in reply to FormerMember

    Hello H_Patel,

    how cand strongswan service be put into debug? Have a similar problem between azure and Sophos XG.

    Best regards,
    Bernd

  • 0

    Hi Suliman,

    does  this also happen if you setup a continous ping from one side to the other?

    The other thing: Check the relavant logs on the switch and on the firewall to see whats happening. IPSec debugging can be something tricky if one setting is not matching E.g. you set rekey on the sophos side and I am not sure that the cisco is allowing this resp. I don't find the config for this. There are also some time parameter that must match.

    Best regards,
    Bernd

  • FormerMember
    +1 FormerMember in reply to Suliman

    Hi Suliman,

    Thank you for the update. Please change Dead Peer Detraction setting to hold or disconnect as you have selected re-initiate and monitor the issue. I have seen this cause issues if it is set to re-initiate connection when gateway type is respond only. 

    Thanks,

     

  • FormerMember
    +1 FormerMember in reply to BeEf

    Hi BeEf,

    Run following command from advance shell to put the strongswan service in debug. 

    service strongswan:debug -ds nosync

    Use same command to take debug off.

    Once you have time stamp of the issue, check logs around that time and you should be able to find out which side is sending delete SA packets.

    Thanks,

     

  • 0 in reply to FormerMember

    Great , its solved the problem for me 

    Thank you 

  • 0 in reply to FormerMember

    Hi Patel 

    Thanks for your help , i have one more small issue 
    Regarding the Site_To_Site connection , one of them turn off the router after the end of working hours
    So , at the morning after they turn it on , the connection do not establish 

    we need to activate it manual , do you have any suggestion to solve this one .

    Thanks in advance 

  • FormerMember
    0 FormerMember in reply to Suliman

    Hi Suliman,

    If you have Connection type as initiate connection restarting the router would reconnect the IPsec connection, but if it is respond only than tunnel would not come up unless initiator side initiates the connection. 

    Thanks,

     

  • 0 in reply to FormerMember

    Thanks Patel 

     

    The gateway type on XG is initiate connection also the dead peer detection 

    however , if the router shutdown more than 3 hours , the connection can't established except manually . 

     

    i tried to change "Wait for response up to " value of dead peer detection to let it try connect within 24 hours but it's didn't accept values more than 9999 !!