This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting Sophos Central notification e-mails saying IPSEC Disconnected/Reconnected every 186 to 189 minutes

I have an IKEv2 IPSec tunnel. During rekeying, the firewall's log reports that the connection drops and immediately reestablishes. The VPN connection is never actually lost.

This was an issue for me in the past, and it was fixed: https://community.sophos.com/products/xg-firewall/f/network-and-routing/111951/ipsec-vpns-keep-logging-five-terminate-established-log-entries-every-hour-or-so/405013

However, I am not sure if the same issue has creeped up again or not as I no longer administer that network, this network is new and has been doing it from the start.

When switching to IKEv1, the issue goes away completely. I do not get logs or e-mail alerts, but I would like to be able to utilize IKEv2 without being bombarded by e-mails.

I'm using RSA Key encryption. The HQ is set to respond and the branch is set to initiate. Here's my policy on both firewalls:

This thread was automatically locked due to age.

Parents

0 Jaydeep over 5 years ago

Hi LeetJN

Would you provide some logs from Sophos XG for the IPSec connection which is being alerted as dropped? Please check into the log viewer and see if you're able to see any disconnection of the IPSec tunnel.
Cancel
Vote Up 0 Vote Down

Cancel
0 LeetJN over 5 years ago in reply to Jaydeep

The log shows several disconnections and reconnections within one second of each other. This has been a bug for over a year and is still not fixed BUT the Sophos Central notification bug WAS fixed. It looks like it regressed. See the other post I linked. This appears to be the exact same issue.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaydeep over 5 years ago in reply to LeetJN

Hi LeetJN

I'd suggest creating a case with Sophos Support. This seems to be abnormal behavior and hence needs to be checked by the Support team.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jaydeep over 5 years ago in reply to LeetJN

Hi LeetJN

I'd suggest creating a case with Sophos Support. This seems to be abnormal behavior and hence needs to be checked by the Support team.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Adam Kennedy over 5 years ago in reply to Jaydeep

We are having this exact same problem. What we noticed is that if we change from RSA key auth to Preshared Key, the issue goes away. We were also experiencing strange packet loss, seemed to happen more with UDP traffic than TCP, but not all the time. That also resolved once we switched from RSA to Preshared Key. We are using IKEv2, mixture of not using local or remote IDs and some connections using DNS as local/remote ID. The problem is consistent and easily repeatable. We are on XG v18.0.1 MR-1 Build 396.
Cancel
Vote Up 0 Vote Down

Cancel