Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 26 subscribers
  • Views 1571 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN - IPSec Tunnel goes down and up frequently

Veera P

We have one XG 125 firewall in the US and one in India, the VPN Connection between both goes down and up every now and then 



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thanks for reaching out, and welcome to the Sophos Community!

    Could you please provide the output of the following command from the Advanced Shell? 

    • grep -i "dead" /log/dgd.log

    SSH into the XG firewall by following this KBA: Sophos XG Firewall: How to SSH to the firewall using PuTTY utility

    • To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
    • Select option 5 Device Management.
    • Select option 3 Advanced Shell.

    You could also collect the strongswan logs in debugging if it's not an issue caused by the unstable gateway. 

      • To put the strongswan service in debugging, type the following command: service strongswan:debug -ds nosync
        • Output
          • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service strongswan:debug -ds nosync
            200 OK
      • Run the following command to check the status of the service: service -S | grep strongswan
        • Output
          • SFVUNL_AZ01_SFOS 18.0.3 MR-3# service -S | grep strongswan
            strongswan RUNNING,DEBUG
      • Note: Run the same command to remove the service from the debug.
    • To check the live logs run the following command from Advanced Shell: tail -f /log/strongswan.log
    • The less command allows you to parse through the static log files. You can also match keywords within the logs by entering /<keyword or string>
      • less /log/strongswan.log
    • The grep command applies a search filter for the keyword within the logs.
      • grep ‘<Keyword/String>’ /log/strongswan.log 
      • You could filter logs with the tunnel name if there are multiple IPsec tunnels.

    Thanks,

  • 0

    Hi Patel  

    XG125_XN03_SFOS 18.0.4 MR-4# grep -i "dead" /log/dgd.log
    DEBUG Jan 30 01:35:59 [8073]: Current Status [GW(Comcast%5fStattic,Port2)] : Dead
    NOTICE Jan 30 01:35:59 [8073]: Actiontree, Live to Dead
    NOTICE Jan 30 01:35:59 [8073]: Actiontree, executing: Live_To_Dead @Comcast%5fStattic
    DEBUG Jan 30 01:35:59 [3920]: Executing Service : <gateway:gw_live_to_dead> args : <{"param":"@Comcast%5fStattic"}>
    DEBUG Jan 30 01:37:01 [8073]: Current Status : Dead
    DEBUG Jan 30 01:37:03 [8073]: Current Status : Dead
    DEBUG Jan 30 01:37:05 [8073]: Current Status : Dead
    DEBUG Jan 30 01:37:07 [8073]: Current Status : Dead
    DEBUG Jan 30 01:37:09 [8073]: Current Status : Dead
    DEBUG Jan 30 01:37:11 [8073]: Current Status [GW(Comcast%5fStattic,Port2)] : Dead
    DEBUG Jan 30 01:38:11 [8073]: Current Status : Dead
    NOTICE Jan 30 01:38:11 [8073]: Actiontree, Dead to Live
    NOTICE Jan 30 01:38:11 [8073]: Actiontree, executing: Dead_To_Live @Comcast%5fStattic
    DEBUG Jan 30 01:38:11 [4855]: Executing Service : <gateway:gw_dead_to_live> args : <{"param":"@Comcast%5fStattic"}>
    NOTICE Feb 25 07:09:16 [10803]: Actiontree, executing: Dead_To_Live @Comcast%5fStattic
    DEBUG Feb 25 07:09:16 [10806]: Executing Service : <gateway:gw_dead_to_live> args : <{"param":"@Comcast%5fStattic"}>
    NOTICE Feb 25 07:09:31 [11680]: Actiontree, executing: Dead_To_Live @Comcast%5fStattic
    DEBUG Feb 25 07:09:31 [11759]: Executing Service : <gateway:gw_dead_to_live> args : <{"param":"@Comcast%5fStattic"}>
    XG125_XN03_SFOS 18.0.4 MR-4#
    XG125_XN03_SFOS 18.0.4 MR-4# service strongswan:debug -ds nosync
    200 OK
    XG125_XN03_SFOS 18.0.4 MR-4# service -S | grep strongswan
    strongswan RUNNING,DEBUG
    strongswan-ctl UNTOUCHED

    2021-03-05 09:58:25 03[NET] received packet: from 183.82.108.197[500] to 50.77.14.5[500] on Port2
    2021-03-05 09:58:25 03[NET] waiting for data on sockets
    2021-03-05 09:58:25 29[NET] <US_TO_HYD-1|182> received packet: from 183.82.108.197[500] to 50.77.14.5[500] (92 bytes)
    2021-03-05 09:58:25 29[ENC] <US_TO_HYD-1|182> parsed INFORMATIONAL_V1 request 2547140637 [ HASH N(DPD) ]
    2021-03-05 09:58:25 29[IKE] <US_TO_HYD-1|182> queueing ISAKMP_R_U_THERE_ACK task, already 0 tasks queued
    2021-03-05 09:58:25 29[IKE] <US_TO_HYD-1|182> activating new tasks
    2021-03-05 09:58:25 29[IKE] <US_TO_HYD-1|182> activating ISAKMP_R_U_THERE_ACK task
    2021-03-05 09:58:25 29[ENC] <US_TO_HYD-1|182> generating INFORMATIONAL_V1 request 2165866362 [ HASH N(DPD_ACK) ]
    2021-03-05 09:58:25 29[NET] <US_TO_HYD-1|182> sending packet: from 50.77.14.5[500] to 183.82.108.197[500] (92 bytes)
    2021-03-05 09:58:25 29[IKE] <US_TO_HYD-1|182> activating new tasks
    2021-03-05 09:58:25 29[IKE] <US_TO_HYD-1|182> nothing to initiate
    2021-03-05 09:58:25 04[NET] sending packet: from 50.77.14.5[500] to 183.82.108.197[500]