Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG - Connection being dropped in IPSec tunnel

Hey there,

we're currently facing a serious issue with a brand new XGS116 (SFOS 18.5.3 MR-3-Build408) and already contacted Sophos support about this, but unfortunately they don't seem to be able to help us.

We switched one of our customer's UTM with a XGS116 a few weeks ago. Anyway, we set up an IPSec tunnel to another hosting company, who is hosting their SAP Database. Same setup as before. Tunnel is stable and it basically never disconnects. 

But here's the issue. At some point, and this happens multiple times every day, the SAP program freezes and packages are being dropped by the firewall. Application filter, Webfilter etc. is not even licensed and we already turned off IPS and everything else that might cause this (plus, the Sophos support double checked this too).

What we're seeing in the logs of the firewall the moment it happens is this:

 

messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="N/A" nat_rule_id="0" policy_type="0" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="xfrm2" in_display_interface="xfrm2" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="10.213.42.11" src_country="R1" dst_ip="192.168.105.161" dst_country="R1" protocol="TCP" src_port="3200" dst_port="57133" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid packet." appresolvedby="Signature" app_is_cloud="0"

 

messageid="01001" log_type="Firewall" log_component="Invalid Traffic" log_subtype="Denied" status="Deny" con_duration="0" fw_rule_id="1" nat_rule_id="0" policy_type="1" user="" user_group="" web_policy_id="0" ips_policy_id="0" appfilter_policy_id="0" app_name="" app_risk="0" app_technology="" app_category="" vlan_id="" ether_type="IPv4 (0x0800)" bridge_name="" bridge_display_name="" in_interface="" in_display_interface="" out_interface="" out_display_interface="" src_mac="" dst_mac="" src_ip="10.213.42.11" src_country="R1" dst_ip="192.168.105.161" dst_country="R1" protocol="TCP" src_port="3200" dst_port="57133" packets_sent="0" packets_received="0" bytes_sent="0" bytes_received="0" src_trans_ip="" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="" src_zone="" dst_zone_type="" dst_zone="" con_direction="" con_id="" virt_con_id="" hb_status="No Heartbeat" message="Invalid TCP state." appresolvedby="Signature" app_is_cloud="0"

We also checked the log on the other site of the tunnel and it says the client closed the connection.

What we tried so far:

 

  • Re-created the tunnel on both sites
  • Switched from a site-to-site tunnel to a route-based tunnel
  • Re-created the rules
  • Deleted/Added new rules (LAN-VPN, also WITH the Sophos support)
  • Setup a bypass rule, which caused the tunnel to not work anymore.

 

The local subnet is 192.168.105.0/24 and the subnet on the other site of the tunnel is 10.213.42.0/24. Remote access works fine too.

Here's a screenshot of the firewall rule:

 

We really do not wanna do a factory reset cause we already setup 2FA with every employee, but we're completely lost here. It doesn't make any sense and we haven't heard back from Sophos support in over a week.

Could this be a firmware or even hardware issue? Any help is much appreciated! Thank you!



This thread was automatically locked due to age.
Parents
  • Hi,  Thank you for your detailed information. Very less chances of hardware issues. To confirm it is something on the firmware side or any other issue due to packet loss or delayed communication you may check the PCAP on 3400 on XG, drop, Conntrack, and TCPDUMP on the same port number. Also, PCAP (by installing Wireshark) on the end machine and on the SAP server will be more helpful to conclude things in a better way. By comparing all these details you may confirm on which side packets are having some trouble due to which it is creating a frozen state on the end Application. 

    Regarding TCP Invalidate state or Invalid packet may have multiple reasons and a few of them is delayed reply or re-transmitted packet.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Hello,


    thanks for your answer.

    At this point it seems to work after we did the following (and it makes absolutely no damn sense!):

    We switched the site-to-site tunnel from IKEv2 to IKEv1, cause that's how it worked with the UTM before.
    This resulted in having no connection via remote access through the tunnel anymore.
    So we switched back to IKEv2, remote access worked again, but we were back to where we started - the packages were being dropped again and SAP kept crashing.

    At that point we still hadn't received any support from Sophos btw. Even the SAP support tried to help, but it didn't make any sense to them either.

    Then we upgraded to v19 last weekend. The packages weren't being dropped anymore and the tunnel was stable. SAP hasn't crushed anymore since then.

    BUT the users were not able to access SAP via remote access anymore. So we switched their connection from IPSec back to SSL-VPN and voila - it worked.

    There must be something clearly wrong with the having an IPSec site-to-site tunnel and IPSec remote access.
    I've been a huge XG fan, but this is just an absolute failure. Especially since not even Sophos knew how to fix this and obviously couldn't care less.

    Thanks a lot.

Reply
  • Hello,


    thanks for your answer.

    At this point it seems to work after we did the following (and it makes absolutely no damn sense!):

    We switched the site-to-site tunnel from IKEv2 to IKEv1, cause that's how it worked with the UTM before.
    This resulted in having no connection via remote access through the tunnel anymore.
    So we switched back to IKEv2, remote access worked again, but we were back to where we started - the packages were being dropped again and SAP kept crashing.

    At that point we still hadn't received any support from Sophos btw. Even the SAP support tried to help, but it didn't make any sense to them either.

    Then we upgraded to v19 last weekend. The packages weren't being dropped anymore and the tunnel was stable. SAP hasn't crushed anymore since then.

    BUT the users were not able to access SAP via remote access anymore. So we switched their connection from IPSec back to SSL-VPN and voila - it worked.

    There must be something clearly wrong with the having an IPSec site-to-site tunnel and IPSec remote access.
    I've been a huge XG fan, but this is just an absolute failure. Especially since not even Sophos knew how to fix this and obviously couldn't care less.

    Thanks a lot.

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?