Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 3 answers
  • Subscribers 28 subscribers
  • Views 2549 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Switch off Alerting of IPSec Tunnel up/down

BeEf

Hello,

I get a lot of messages in Sophos Centrol from our Firewall regarding IPSec Tunnels that are shutdown/restablished a couple of times per day.

How can these messages be supressed? I looked on the firewall and also in Central.






Regards,
BeEf



This thread was automatically locked due to age.
  • 0

    You can stop the Email Alert in Central itself (not sending a message to you). 

    There is currently a investigation, why those Alerts appear, if they are F-P. 

    https://www.reddit.com/r/sophos/comments/m8vwx6/ikev2_tunnel_drops_at_every_phase_1_rekey/

  • 0

    Hi,

    in systems services -> notification list you can disable notifications for VPN, which are off by default.

    Ian

    Lucar beat me.

  • 0 in reply to LuCar Toni

    Thanks. What do you mean by F-P?

  • 0 in reply to BeEf

    False Positive (Tunnel is not really down, instead its a Rekey Event). 

  • 0 in reply to rfcat_vk

    This is not switched on. However I get the alerts in central (not by mail (and snmp)).

    I guess this is not the event. It is rather an error like described in the reddit article that was posted.

    So I can be more specific. How can des errors/alerts be supressed. The happen serveral time per day and this pushes the number of total alerts every day.

  • 0 in reply to BeEf

    If the number is related to the Key Life time of your ipsec tunnel, it is likely, you are affected by the same issue. Its easy to see the relation, the keylifetime is most likely 8 hours or less. If the alert occurs roughly every 8 hours, it looks like a F-P. And the workarounds are written in the Reddit as well - Move to PSK with 31 digits. 

  • 0 in reply to LuCar Toni

    Did Sophos try to fix this over the weekend. Last week I saw it on only one firewall. Over the weekend it is seen on all firewalls that have IPSec connection.



    It is also strange that on on A-P cluster the messages are reported only from the active firewall and on the other A-P cluster (the one that was not effected last week) both nodes seem to send out these messages.

    This stuff is really buggy :-(.

    I can not change the PSK easily as other companies are involved and not all firewalls can be reached easily without the tunnel active.I also do not want to adapt the length of the PSK to a faulty implementation of the firewall vendor.

    Better FIX this !!!

  • 0 in reply to BeEf

    It is likely this is a issue in the core system of strongswan, therefore not easy to fix. There is work to do in the future to get this under control but it is not really that simple. The issue is to separate the false positive (rekey event) to the real "the tunnel is down" events. 

    You could easily build a suppression and report the "tunnel is down" after a minute or so. But that does not resolve the root cause, only move it to different place. 

    Therefore the work is currently to find a better solution to not generate tunnel down/up events, if the child SA or something is rebuilding.