Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 4518 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN dropped after an hour of connection with Cisco 800

Suliman

Hello Sophos Nerds 

 

I recently configure a XG125  with (SFOS 17.5.9 MR-9) version as a replacement of X firewall ,

Every thing great but i have a trouble in a IPsec VPN connection with Cisco 800 Router 

>>>>>
The Connection lost ( or Dropped ) after minutes "approx 30-60" from success connection established.

The Configuration of XG Firewall as : 

 

 

 

 

The Configuration of Cisco 800 Router as follows : 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key zzz-psk address xxx.x.xx.xxx
!
!
crypto ipsec transform-set zzz-transformset esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map zzz 10 ipsec-isakmp
set peer xxx.x.xx.xxx
set transform-set zzz-transformset
match address 110 

 

No solutions by searching Google .

Can Any one give a suggestion 

Thanks in Advance 

 

Best Regards 

Suliman  



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Suliman,

    Can you check what is the Gateway type selected on IPsec connection profile? Is it respond only or initiate the connection? You can also find the reason for the disconnect if you put strongswan service in debug and find log entry that matches the time of the issue. 

    Thanks,

  • 0 in reply to FormerMember

    Hi Patel 

    Thanks for your responded , regarding the Gateway Type its respond only .

  • FormerMember
    +1 FormerMember in reply to Suliman

    Hi Suliman,

    Thank you for the update. Please change Dead Peer Detraction setting to hold or disconnect as you have selected re-initiate and monitor the issue. I have seen this cause issues if it is set to re-initiate connection when gateway type is respond only. 

    Thanks,

     

  • 0 in reply to FormerMember

    Great , its solved the problem for me 

    Thank you 

  • 0 in reply to FormerMember

    Hi Patel 

    Thanks for your help , i have one more small issue 
    Regarding the Site_To_Site connection , one of them turn off the router after the end of working hours
    So , at the morning after they turn it on , the connection do not establish 

    we need to activate it manual , do you have any suggestion to solve this one .

    Thanks in advance 

  • FormerMember
    0 FormerMember in reply to Suliman

    Hi Suliman,

    If you have Connection type as initiate connection restarting the router would reconnect the IPsec connection, but if it is respond only than tunnel would not come up unless initiator side initiates the connection. 

    Thanks,

     

  • 0 in reply to FormerMember

    Thanks Patel 

     

    The gateway type on XG is initiate connection also the dead peer detection 

    however , if the router shutdown more than 3 hours , the connection can't established except manually . 

     

    i tried to change "Wait for response up to " value of dead peer detection to let it try connect within 24 hours but it's didn't accept values more than 9999 !! 

     

     

  • 0 in reply to Suliman

    I have a report from a client with the same issue but every 8 hours on SFOS 17.5.9 MR-9.  It's an XG 135 that was upgraded from 16.x, the IPsec tunnel was recreated.  They have other XG135 that was upgraded from an earlier 17.x and it's working fine.

Reply
  • 0 in reply to Suliman

    I have a report from a client with the same issue but every 8 hours on SFOS 17.5.9 MR-9.  It's an XG 135 that was upgraded from 16.x, the IPsec tunnel was recreated.  They have other XG135 that was upgraded from an earlier 17.x and it's working fine.

Children
No Data