Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 3090 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect Clients randomly getting dropped off VPN

IT American Rock Salt

we have remote users using Sophos Connect Client connecting to a FW on 18.0.4 Mr-4 that are randomly disconnecting 

looking at the logs on the FW, we are seeing these messages

VPN-1 - IKE message retransmission timed out (Remote: 152.193.5.218)  and IKE_SA timed out before it could be established then maybe 30 seconds later the affected user's VPN session reestablishes and is connected again for some time

if i look at the logs from the andvanced shell

2021-02-11 15:20:30 24[CFG] <VPN-1|69> handling HA CHILD_SA VPN-1{190} 192.168.10.21/32 === 10.10.10.23/32 (segment in: 1*, out: 1*)
2021-02-11 15:20:30 24[IKE] <VPN-1|69> CHILD_SA VPN-1{190} established with SPIs c79cebe4_i ecdea2ac_o and TS 192.168.10.21/32 === 10.10.10.23/32
2021-02-11 15:20:30 24[IKE] <VPN-1|69> ### destroy: 0x7f23d40033b0
2021-02-11 15:20:31 15[NET] <VPN-1|174> received packet: from 68.238.193.46[54510] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:31 15[ENC] <VPN-1|174> parsed INFORMATIONAL_V1 request 354000927 [ HASH N(DPD) ]
2021-02-11 15:20:31 15[ENC] <VPN-1|174> generating INFORMATIONAL_V1 request 1474428525 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:31 15[NET] <VPN-1|174> sending packet: from 50.75.29.189[4500] to 68.238.193.46[54510] (108 bytes)
2021-02-11 15:20:36 15[IKE] <VPN-1|8> sending DPD request
2021-02-11 15:20:36 15[ENC] <VPN-1|8> generating INFORMATIONAL_V1 request 4032723093 [ HASH N(DPD) ]
2021-02-11 15:20:36 15[NET] <VPN-1|8> sending packet: from 50.75.29.189[4500] to 65.185.119.197[51583] (108 bytes)
2021-02-11 15:20:36 17[NET] <VPN-1|8> received packet: from 65.185.119.197[51583] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:36 17[ENC] <VPN-1|8> parsed INFORMATIONAL_V1 request 4144008415 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:39 23[NET] <VPN-1|5> received packet: from 75.149.20.190[58325] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:39 23[ENC] <VPN-1|5> parsed INFORMATIONAL_V1 request 3357301504 [ HASH N(DPD) ]
2021-02-11 15:20:39 23[ENC] <VPN-1|5> generating INFORMATIONAL_V1 request 2812308089 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:39 23[NET] <VPN-1|5> sending packet: from 50.75.29.189[4500] to 75.149.20.190[58325] (108 bytes)
2021-02-11 15:20:40 31[NET] <VPN-1|26> received packet: from 174.208.8.52[23927] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:40 31[ENC] <VPN-1|26> parsed INFORMATIONAL_V1 request 2301313461 [ HASH N(DPD) ]
2021-02-11 15:20:40 31[ENC] <VPN-1|26> generating INFORMATIONAL_V1 request 1470736063 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:40 31[NET] <VPN-1|26> sending packet: from 50.75.29.189[4500] to 174.208.8.52[23927] (108 bytes)
2021-02-11 15:20:42 18[IKE] <VPN-1|19> sending DPD request
2021-02-11 15:20:42 18[ENC] <VPN-1|19> generating INFORMATIONAL_V1 request 1126644735 [ HASH N(DPD) ]
2021-02-11 15:20:42 18[NET] <VPN-1|19> sending packet: from 50.75.29.189[4500] to 162.218.145.6[59018] (108 bytes)
2021-02-11 15:20:42 32[NET] <VPN-1|19> received packet: from 162.218.145.6[59018] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:42 32[ENC] <VPN-1|19> parsed INFORMATIONAL_V1 request 555344424 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:43 28[IKE] <Plainfield_New-1|33> sending DPD request
2021-02-11 15:20:43 28[ENC] <Plainfield_New-1|33> generating INFORMATIONAL_V1 request 2205122232 [ HASH N(DPD) ]
2021-02-11 15:20:43 28[NET] <Plainfield_New-1|33> sending packet: from 50.75.29.189[500] to 159.250.0.169[500] (108 bytes)
2021-02-11 15:20:43 14[NET] <Plainfield_New-1|33> received packet: from 159.250.0.169[500] to 50.75.29.189[500] (108 bytes)
2021-02-11 15:20:43 14[ENC] <Plainfield_New-1|33> parsed INFORMATIONAL_V1 request 178163176 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:45 24[IKE] <VPN-1|11> sending DPD request
2021-02-11 15:20:45 24[ENC] <VPN-1|11> generating INFORMATIONAL_V1 request 3982438688 [ HASH N(DPD) ]
2021-02-11 15:20:45 24[NET] <VPN-1|11> sending packet: from 50.75.29.189[4500] to 71.240.122.49[58339] (108 bytes)
2021-02-11 15:20:45 12[NET] <VPN-1|11> received packet: from 71.240.122.49[58339] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:45 12[ENC] <VPN-1|11> parsed INFORMATIONAL_V1 request 3174936446 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:45 27[NET] <VPN-1|69> received packet: from 50.244.234.193[61678] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:45 27[ENC] <VPN-1|69> parsed INFORMATIONAL_V1 request 1966289005 [ HASH N(DPD) ]
2021-02-11 15:20:45 27[ENC] <VPN-1|69> generating INFORMATIONAL_V1 request 1986081584 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:45 27[NET] <VPN-1|69> sending packet: from 50.75.29.189[4500] to 50.244.234.193[61678] (108 bytes)
2021-02-11 15:20:46 05[NET] <VPN-1|174> received packet: from 68.238.193.46[54510] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:46 05[ENC] <VPN-1|174> parsed INFORMATIONAL_V1 request 123858907 [ HASH N(DPD) ]
2021-02-11 15:20:46 05[ENC] <VPN-1|174> generating INFORMATIONAL_V1 request 3312036097 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:46 05[NET] <VPN-1|174> sending packet: from 50.75.29.189[4500] to 68.238.193.46[54510] (108 bytes)
2021-02-11 15:20:54 13[NET] <VPN-1|5> received packet: from 75.149.20.190[58325] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:54 13[ENC] <VPN-1|5> parsed INFORMATIONAL_V1 request 1036310299 [ HASH N(DPD) ]
2021-02-11 15:20:54 13[ENC] <VPN-1|5> generating INFORMATIONAL_V1 request 1595646099 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:54 13[NET] <VPN-1|5> sending packet: from 50.75.29.189[4500] to 75.149.20.190[58325] (108 bytes)
2021-02-11 15:20:55 31[NET] <VPN-1|26> received packet: from 174.208.8.52[23927] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:55 31[ENC] <VPN-1|26> parsed INFORMATIONAL_V1 request 926039491 [ HASH N(DPD) ]
2021-02-11 15:20:55 31[ENC] <VPN-1|26> generating INFORMATIONAL_V1 request 2104519849 [ HASH N(DPD_ACK) ]
2021-02-11 15:20:55 31[NET] <VPN-1|26> sending packet: from 50.75.29.189[4500] to 174.208.8.52[23927] (108 bytes)
2021-02-11 15:20:55 05[IKE] <VPN-1|23> sending DPD request
2021-02-11 15:20:55 05[ENC] <VPN-1|23> generating INFORMATIONAL_V1 request 1483352352 [ HASH N(DPD) ]
2021-02-11 15:20:55 05[NET] <VPN-1|23> sending packet: from 50.75.29.189[4500] to 164.52.230.194[50517] (108 bytes)
2021-02-11 15:20:55 09[NET] <VPN-1|23> received packet: from 164.52.230.194[50517] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:20:55 09[ENC] <VPN-1|23> parsed INFORMATIONAL_V1 request 1971663142 [ HASH N(DPD_ACK) ]
2021-02-11 15:21:00 31[NET] <VPN-1|69> received packet: from 50.244.234.193[61678] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:21:00 31[ENC] <VPN-1|69> parsed INFORMATIONAL_V1 request 3461046038 [ HASH N(DPD) ]
2021-02-11 15:21:00 31[ENC] <VPN-1|69> generating INFORMATIONAL_V1 request 3064966082 [ HASH N(DPD_ACK) ]
2021-02-11 15:21:00 31[NET] <VPN-1|69> sending packet: from 50.75.29.189[4500] to 50.244.234.193[61678] (108 bytes)
2021-02-11 15:21:01 05[NET] <VPN-1|174> received packet: from 68.238.193.46[54510] to 50.75.29.189[4500] (108 bytes)
2021-02-11 15:21:01 05[ENC] <VPN-1|174> parsed INFORMATIONAL_V1 request 1478452648 [ HASH N(DPD) ]
2021-02-11 15:21:01 05[ENC] <VPN-1|174> generating INFORMATIONAL_V1 request 1744343798 [ HASH N(DPD_ACK) ]
2021-02-11 15:21:01 05[NET] <VPN-1|174> sending packet: from 50.75.29.189[4500] to 68.238.193.46[54510] (108 bytes)

it appears that its sending DPD checks every 30 seconds 

my question is what IPSEC policy does Sophos Connect clients use on the FW under VPN when the clients connect? any insight into how we can resolve these random disconnects



This thread was automatically locked due to age.
Parents
  • 0

    Hello there,

    Thank you for contacting the Sophos Community!

    Sophos Connect used the Default Remote Access policy, the IKE for this is 4-5 hours. Since this is IKEv1 it won't recreate a key to connect unlike with IKEv2 (this is to be fixed in a future release) in any case if the disconnections happen after this 4-5 hours, then it would be possible to increase the Key Life time.

    Do you happen to know if this reconnection happens after 4-5 hours?

    Do you also have any site-to-site IPsec tunnel? If so try running this command from the console of the XG (5>4) 

    console> set vpn conn-remove-tunnel-up disable

    Regards.

  • 0 in reply to emmosophos

    not sure if the reconnect is happening every 4-5 hours. we believe it was happening more frequently than that for some users it may happen as often as every 30 mins or so. The weird thing is I don't think the user even sees that Sophos connect has dropped or is reconnecting as it shows the green check mark over the icon the whole time I believe. 

    looking at the Default Remote Access IPsec Policy the default values I believe are selected and we did not change anything with this policy

    the phase 1 key life is 18000 seconds of 5 hours, in phase 2 the key life is 3600 seconds or 1 hour, dead peer detection is set to check every min wait for 4 mins and if no response then disconnect. 

    the user connections should be sending some data over the tunnel at all times to ensure that DPD isn't kicking in but without seeing a running packet capture its hard to say.

    I don't know if there are some IPSsec bugs in V18.0.4 -MR4 we recently upgraded from 17.5.12 were we didn't see these issues, my assumption that any and all settings we had in the previous build would carry over but i don't know if the changes in 18 under the hood would cause these sporadic issues

    we do have a site to site running between another location and our main datacenter

    will running that console command drop existing tunnel connections?

Reply
  • 0 in reply to emmosophos

    not sure if the reconnect is happening every 4-5 hours. we believe it was happening more frequently than that for some users it may happen as often as every 30 mins or so. The weird thing is I don't think the user even sees that Sophos connect has dropped or is reconnecting as it shows the green check mark over the icon the whole time I believe. 

    looking at the Default Remote Access IPsec Policy the default values I believe are selected and we did not change anything with this policy

    the phase 1 key life is 18000 seconds of 5 hours, in phase 2 the key life is 3600 seconds or 1 hour, dead peer detection is set to check every min wait for 4 mins and if no response then disconnect. 

    the user connections should be sending some data over the tunnel at all times to ensure that DPD isn't kicking in but without seeing a running packet capture its hard to say.

    I don't know if there are some IPSsec bugs in V18.0.4 -MR4 we recently upgraded from 17.5.12 were we didn't see these issues, my assumption that any and all settings we had in the previous build would carry over but i don't know if the changes in 18 under the hood would cause these sporadic issues

    we do have a site to site running between another location and our main datacenter

    will running that console command drop existing tunnel connections?

Children
No Data