I am having issues with a site to site IPSEC IKEv2 vpn causing the Sophos XG firewall to randomly reboot/crash. The issue only started occurring once I switched to version 18. I have run many versions of 18 and I'm currently on SFOS 18.0.1 MR-1-Build396 and the issue still persists.
The firewall has multiple ipsec IKEv2 site to site vpns but I find if I'm pulling continuous data over one of the VPN's the firewall will randomly reboot.
It doesn't seem to be the IPSEC IKEv2 vpn's in general as I have another VPN connection I pull a lot more data over and it never causes the firewall to reboot.
The VPN that appears to be causing the problem is a site to site IPSEC IKEv2 VPN. It has the following settings:
A note about the settings. Before I sent to post I was double checking the settings and authentication was still set to SHA1. I figured I should fix that and went to check the other end which is a PFsense firewall. The PFsense firewall was already set to aes256. I updated the Sophos end and everything still connected. I'm not sure if this is a red herring or indicates issues in the swanstrong configuration in the Sophos XG causing the firewall to reboot. Even after changing the settings the Sophos XG firewall still randomly rebooted (crashed).
I have had a look in /logs/syslog and all I see is:
Jul 12 20:23:37 (none) user.err kernel: [79416.313325] packet dropped in ipsec0 device
Jul 12 20:23:46 (none) user.err kernel: [79425.145038] packet dropped in ipsec0 device
Jul 12 20:23:46 (none) user.err kernel: [79425.145050] packet dropped in ipsec0 device
Jul 12 22:06:49 (none) syslog.info syslogd started: BusyBox v1.21.1
Jul 12 22:06:49 (none) user.notice kernel: [ 0.000000] Linux version 4.14.38 (jenkins@ci-39) (gcc version 7.3.0 (OpenWrt GCC 7.3.0 7340-gf2d738297)) #2 SMP Fri Jun 5 23:03:53 UTC 2020
Jul 12 22:06:49 (none) user.info kernel: [ 0.000000] Command line: BOOT_IMAGE=/18_0_1_396 quiet console=tty0 console=ttyS0,38400n8 maxcpus=4 memlimit=6G
Jul 12 22:06:49 (none) user.info kernel: [ 0.000000] Disabled fast string operations
Jul 12 22:06:49 (none) user.info kernel: [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
Jul 12 22:06:49 (none) user.info kernel: [ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
Jul 12 22:06:49 (none) user.info kernel: [ 0.000000] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
Nothing to indicate the Sophos XG firewall crashed and restarted.
Sophos XG information:
- Upgraded from Version 17.5 to V18.
- Running on ESXi 7. Was previously on ESXi 6.7 but issue was present there too.
- 2 vCPU
- 4 GB Ram
- Fast storage
- VMXnet3 NICS
- Handles all inter VLAN routing.
Problem VPN:
- Sophos XG only crashes when there is a constant data stream.
- Data stream is around 4-7 mbps when it crashes
- UDP traffic when it crashes.
- Latency of VPN is 260 - 300 ms
- Other end is a PFsense 2.4.4 box.
- IKEv2
- IPsec policy above.
- VPN is idle most of the time but up 24x7
I've had a look in the /log/syslog.log as per above and didn't see anything.
Does the appliance produce a dump when it crashes and then reboots or does it appear to be simply just rebooting? Any guidance on what logs to look at and how to troubleshoot this is greatly appreciated.
This thread was automatically locked due to age.
