Hi everyone,
I've got an ipsec tunnel between two sophos XG vm firewalls (both updated to firmware v.19). The tunnel is between head office and a small branch office, created using the vpn wizard. At the end of the wizard everything is ok, new settings have been saved, the tunnel comes up as aspected but, after a certain period (about a couple of weeks) the tunnel goes down and there are no way to built it up again!...
I've checked the strongswan log and there it seems that the IKE_SA was established but after there are a lots retrasmit of request with ID 0 ending with sending DPD request.
part of the log:
2022-06-17 09:34:26Z 24[NET] <235> received packet: from 95.254.*.*[500] to 93.49.*.*[500] (548 bytes) 2022-06-17 09:34:26Z 24[ENC] <235> parsed ID_PROT request 0 [ SA V V V V V V ] 2022-06-17 09:34:26Z 24[IKE] <235> received XAuth vendor ID 2022-06-17 09:34:26Z 24[IKE] <235> received DPD vendor ID 2022-06-17 09:34:26Z 24[IKE] <235> received Cisco Unity vendor ID 2022-06-17 09:34:26Z 24[IKE] <235> received FRAGMENTATION vendor ID 2022-06-17 09:34:26Z 24[IKE] <235> received NAT-T (RFC 3947) vendor ID 2022-06-17 09:34:26Z 24[IKE] <235> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 2022-06-17 09:34:26Z 24[IKE] <235> 95.254.*.* is initiating a Main Mode IKE_SA 2022-06-17 09:34:26Z 24[ENC] <235> generating ID_PROT response 0 [ SA V V V V V ] 2022-06-17 09:34:26Z 24[NET] <235> sending packet: from 93.49.*.*[500] to 95.254.*.*[500] (180 bytes) 2022-06-17 09:34:26Z 12[NET] <235> received packet: from 95.254.*.*[500] to 93.49.*.*[500] (652 bytes) 2022-06-17 09:34:26Z 12[ENC] <235> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] 2022-06-17 09:34:26Z 12[IKE] <235> remote host is behind NAT 2022-06-17 09:34:26Z 12[ENC] <235> generating ID_PROT response 0 [ KE No NAT-D NAT-D ] 2022-06-17 09:34:26Z 12[NET] <235> sending packet: from 93.49.*.*[500] to 95.254.*.*[500] (652 bytes) 2022-06-17 09:34:26Z 07[NET] <235> received packet: from 95.254.*.*[4500] to 93.49.*.*[4500] (92 bytes) 2022-06-17 09:34:26Z 07[ENC] <235> parsed ID_PROT request 0 [ ID HASH ] 2022-06-17 09:34:26Z 07[CFG] <235> looking for pre-shared key peer configs matching 93.49.*.*...95.254.*.*[*] 2022-06-17 09:34:26Z 07[CFG] <235> selected peer config "TN_BZ-1" 2022-06-17 09:34:26Z 07[IKE] <TN_BZ-1|235> IKE_SA TN_BZ-1[235] established between 93.49.*.*[*]...95.254.*.*[*] 2022-06-17 09:34:26Z 07[IKE] <TN_BZ-1|235> scheduling rekeying in 11841s 2022-06-17 09:34:26Z 07[IKE] <TN_BZ-1|235> maximum IKE_SA lifetime 12381s 2022-06-17 09:34:26Z 07[ENC] <TN_BZ-1|235> generating ID_PROT response 0 [ ID HASH ] 2022-06-17 09:34:26Z 07[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (92 bytes) 2022-06-17 09:34:30Z 06[NET] <TN_BZ-1|235> received packet: from 95.254.*.*[4500] to 93.49.*.*[4500] (92 bytes) 2022-06-17 09:34:30Z 06[IKE] <TN_BZ-1|235> received retransmit of request with ID 0, retransmitting response 2022-06-17 09:34:30Z 06[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (92 bytes) 2022-06-17 09:34:37Z 27[NET] <TN_BZ-1|235> received packet: from 95.254.*.*[4500] to 93.49.*.*[4500] (92 bytes) 2022-06-17 09:34:37Z 27[IKE] <TN_BZ-1|235> received retransmit of request with ID 0, retransmitting response 2022-06-17 09:34:37Z 27[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (92 bytes) 2022-06-17 09:34:50Z 28[NET] <TN_BZ-1|235> received packet: from 95.254.*.*[4500] to 93.49.*.*[4500] (92 bytes) 2022-06-17 09:34:50Z 28[IKE] <TN_BZ-1|235> received retransmit of request with ID 0, retransmitting response 2022-06-17 09:34:50Z 28[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (92 bytes) 2022-06-17 09:34:56Z 29[IKE] <TN_BZ-1|235> sending DPD request 2022-06-17 09:34:56Z 29[ENC] <TN_BZ-1|235> generating INFORMATIONAL_V1 request 2524585234 [ HASH N(DPD) ] 2022-06-17 09:34:56Z 29[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (108 bytes) 2022-06-17 09:35:14Z 15[NET] <TN_BZ-1|235> received packet: from 95.254.*.*[4500] to 93.49.*.*[4500] (92 bytes) 2022-06-17 09:35:14Z 15[IKE] <TN_BZ-1|235> received retransmit of request with ID 0, retransmitting response 2022-06-17 09:35:14Z 15[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (92 bytes) 2022-06-17 09:35:26Z 18[IKE] <TN_BZ-1|235> sending DPD request 2022-06-17 09:35:26Z 18[ENC] <TN_BZ-1|235> generating INFORMATIONAL_V1 request 1819235277 [ HASH N(DPD) ] 2022-06-17 09:35:26Z 18[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (108 bytes) 2022-06-17 09:35:56Z 18[NET] <TN_BZ-1|235> received packet: from 95.254.*.*[4500] to 93.49.*.*[4500] (92 bytes) 2022-06-17 09:35:56Z 18[IKE] <TN_BZ-1|235> received retransmit of request with ID 0, retransmitting response 2022-06-17 09:35:56Z 18[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (92 bytes) 2022-06-17 09:35:56Z 29[IKE] <TN_BZ-1|235> sending DPD request 2022-06-17 09:35:56Z 29[ENC] <TN_BZ-1|235> generating INFORMATIONAL_V1 request 1644324080 [ HASH N(DPD) ] 2022-06-17 09:35:56Z 29[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (108 bytes) 2022-06-17 09:36:26Z 18[IKE] <TN_BZ-1|235> sending DPD request 2022-06-17 09:36:26Z 18[ENC] <TN_BZ-1|235> generating INFORMATIONAL_V1 request 3964829410 [ HASH N(DPD) ] 2022-06-17 09:36:26Z 18[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (108 bytes) 2022-06-17 09:36:56Z 12[IKE] <TN_BZ-1|235> sending DPD request 2022-06-17 09:36:56Z 12[ENC] <TN_BZ-1|235> generating INFORMATIONAL_V1 request 1366719710 [ HASH N(DPD) ] 2022-06-17 09:36:56Z 12[NET] <TN_BZ-1|235> sending packet: from 93.49.*.*[4500] to 95.254.*.*[4500] (108 bytes) 2022-06-17 09:37:06Z 10[JOB] <TN_BZ-1|235> DPD check timed out, enforcing DPD action 2022-06-17 09:37:06Z 10[DMN] <TN_BZ-1|235> [GARNER-LOGGING] (child_alert) ALERT: IKE message retransmission timed out.
Any idea how to solve it?
This thread was automatically locked due to age.
