Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Subscribers 33 subscribers
  • Views 61097 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN site to site cant reconnect automatically

MoMx

i have one branch in connected in Site to SIte IPsec VPN and it works fine . but from time to time it disconnect and never connect back unless i deactivate the connection and stay for sometimes then activate it and connect  . if i didn't stay for sometimes and tried to connect again , it doesn't connect


the retry is 0 which is unlimited , one of the sites are behind adsl so i am using aggressive

key life phase 1  28800, wait for response 120 sec

keylife phase 2 3600

there are nothing in logs that can show what is the issue



This thread was automatically locked due to age.
  • 0

    Hi,

    Verify that the "Action on VPN Restart" for the branch office is set to "Initiate" and for the Head office it is set to "Respond only".

    Thanks

  • 0 in reply to sachingurung

    sure i already chose that option from day 1 but without any help

  • 0 in reply to MoMx

    Under the IP-sec policy you need to make sure the Allow re keying is checked and the number of Re-keying attempts should be set to Zero (unlimited).  Also set the DPD to reconnect 

  • 0 in reply to Kranthi

    sure all of these was chosen before and still i am facing same issue

    see attached file

  • 0 in reply to MoMx

    Can you give me the output of vi /log/ipsec.log  from the advanced shell and copy paste the logs which are around the time stamp when the tunnel failed.. 

  • 0 in reply to Kranthi

    here we go

    i hided the public ip

    Jul 11 21:45:55 "ho-1" #65: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xb072fa2f <0x2109fd03 xfrm=AES_256-HMAC_MD5 IPCOMP=>0x000086a0 <0x00001031 NATD=<Public-IP>:4500 DPD=enabled}
    Jul 11 21:55:50 "ho-1" #61: received Delete SA(0xc59db2af) payload: deleting IPSEC State #64
    Jul 11 21:55:50 "ho-1" #61: Received DeleteSA Payload from <Public-IP>
    Jul 11 21:55:50 "ho-1" #61: Received Delete SA for ip 192.168.100.0
    Jul 11 21:55:50 "ho-1" #61: received and ignored informational message
    Jul 11 22:37:46 "ho-1" #66: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+AGGRESSIVE+failureDROP to replace #65 {using isakmp#61}
    Jul 11 22:37:46 "ho-1" #66: Dead Peer Detection (RFC 3706): enabled
    Jul 11 22:37:46 "ho-1" #66: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    Jul 11 22:37:46 "ho-1" #66: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3f2b199f <0xe6e55559 xfrm=AES_256-HMAC_MD5 IPCOMP=>0x00002c28 <0x00002479 NATD=<Public-IP>:4500 DPD=enabled}
    Jul 11 22:45:55 "ho-1" #61: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xb072fa2f) not found (maybe expired)
    Jul 11 22:45:55 "ho-1" #61: received and ignored informational message
    Jul 11 23:31:11 "ho-1" #67: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+AGGRESSIVE+failureDROP to replace #66 {using isakmp#61}
    Jul 11 23:31:11 "ho-1" #67: Dead Peer Detection (RFC 3706): enabled
    Jul 11 23:31:11 "ho-1" #67: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    Jul 11 23:31:11 "ho-1" #67: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x969aae9b <0x1a884126 xfrm=AES_256-HMAC_MD5 IPCOMP=>0x0000e734 <0x0000c119 NATD=<Public-IP>:4500 DPD=enabled}
    Jul 11 23:37:46 "ho-1" #61: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x3f2b199f) not found (maybe expired)
    Jul 11 23:37:46 "ho-1" #61: received and ignored informational message
    Jul 12 00:24:59 "ho-1" #68: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+AGGRESSIVE+failureDROP to replace #67 {using isakmp#61}
    Jul 12 00:24:59 "ho-1" #68: Dead Peer Detection (RFC 3706): enabled
    Jul 12 00:24:59 "ho-1" #68: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    Jul 12 00:24:59 "ho-1" #68: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xb162d8e7 <0x5a0318f9 xfrm=AES_256-HMAC_MD5 IPCOMP=>0x000057cf <0x00004d96 NATD=<Public-IP>:4500 DPD=enabled}
    Jul 12 00:31:11 "ho-1" #61: received Delete SA(0x969aae9b) payload: deleting IPSEC State #67
    Jul 12 00:31:11 "ho-1" #61: Received DeleteSA Payload from <Public-IP>
    Jul 12 00:31:11 "ho-1" #61: Received Delete SA for ip 192.168.100.0
    Jul 12 00:31:11 "ho-1" #61: received and ignored informational message
    Jul 12 01:16:21 "ho-1" #69: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+AGGRESSIVE+failureDROP to replace #68 {using isakmp#61}
    Jul 12 01:16:21 "ho-1" #69: Dead Peer Detection (RFC 3706): enabled
    Jul 12 01:16:21 "ho-1" #69: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    Jul 12 01:16:21 "ho-1" #69: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x46e91c64 <0x303c898b xfrm=AES_256-HMAC_MD5 IPCOMP=>0x000091c7 <0x0000b7bb NATD=<Public-IP>:4500 DPD=enabled}
    Jul 12 01:24:59 "ho-1" #61: received Delete SA(0xb162d8e7) payload: deleting IPSEC State #68
    Jul 12 01:24:59 "ho-1" #61: Received DeleteSA Payload from <Public-IP>
    Jul 12 01:24:59 "ho-1" #61: Received Delete SA for ip 192.168.100.0
    Jul 12 01:24:59 "ho-1" #61: received and ignored informational message
    Jul 12 02:09:43 "ho-1" #70: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+AGGRESSIVE+failureDROP to replace #69 {using isakmp#61}
    Jul 12 02:09:43 "ho-1" #70: Dead Peer Detection (RFC 3706): enabled
    Jul 12 02:09:43 "ho-1" #70: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
    Jul 12 02:09:43 "ho-1" #70: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x9b47dec6 <0x9881e582 xfrm=AES_256-HMAC_MD5 IPCOMP=>0x0000c7f2 <0x000003e7 NATD=<Public-IP>:4500 DPD=enabled}
    Jul 12 02:16:21 "ho-1" #61: received Delete SA(0x46e91c64) payload: deleting IPSEC State #69
    Jul 12 02:16:21 "ho-1" #61: Received DeleteSA Payload from <Public-IP>
    Jul 12 02:16:21 "ho-1" #61: Received Delete SA for ip 192.168.100.0
    Jul 12 02:16:21 "ho-1" #61: received and ignored informational message


  • 0 in reply to MoMx

    Hi,

    With which appliance does XG establish IPSec tunnel? What happens when you change the mode from Aggressive to Main?

    Awaiting response from  on the logs. 

    Thanks

  • 0 in reply to sachingurung

    The Main office is also Sophos XG .

    i tried Main Mode and still same issue . actually as you know aggressive mode is recommended when one the sites dont have a public static ip .

    i just dont know why i have to disable the whole connection ( not just disconnect it ) in the branch site   and wait some times before i  reactivate it and then re connect back

  • 0 in reply to MoMx

    Did you eventually find a solution?

    We have the same issue in two of our remote branches (out of 12, all using XG105). 
    These two branches and the other ones is that the two faulty ones are using 4G connections (against SDSL connections for the working ones).

    Main office uses the "DefaultHeadOffice" policy and "Respond only".
    Branch offices use the "DefaultBranchOffice" policy and "Initiate".

    Main office sees the connection going down and waits for branch office to reconnect.

    Branch offices don't see the connection going down so don't re-initiate the reconnection. However, no packet goes through the tunnel (as it's down on the other side).
    They eventually (20 minutes to more than one hour) see the connection down and re-initiate.
    The branch office workers end up restarting the connection manually (10% of the time by going into the XG admin, 90% of the time by rebooting the XG105).
    This happens at least once a day, totally un-acceptable.

  • 0 in reply to David Touitou

    Still facing this issue with SFOS 17.1.1.

    Just hopeless.