Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 34 subscribers
  • Views 39376 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re-initiate Reliability | What is wrong with Site-to-Site IPsec VPN's and When will it be fixed??

Dru DuBay

I'm posting here to see if I can find other with the same issue. We've used Cyberoam's for 5+ years and now have some XG's at clients. The site to site VPN is broken, we worked over and over again with Cyberoam, and now with Sophos, nothing changes. The VPN's do not re-initiate reliably. If I have a Cyberoam/XG at my main office and one at the remote office, if the power or Internet goes down at the branch or main the VPN does not re-establish until I manually click the connect button on the firewall. If there's a SonicWall at the branch it's solid becuase the SonicWall is always trying to connect if it isn't, there is no button to connect or disconnect, just to enable or disable. We see the same thing with Fortinet to XG. 

 

It's crazy that the VPN doesn't work going from XG to XG. It's to the point now where my office has lost confidence in the device and is moving over to Fortinet, or anything else really. I also have IPsec tunnels to Cisco firewalls that don't work. Below is from a post I made on Reddit in the MSP community, I removed usernames. 

 

  • What is the issue/specifics on the VPNs? we're looking at rolling 3 XGs out to a customer with 3 locations in one city shortly and would like to avoid/watch for/work around this.
    permalinkembedsavereportgive goldreply
    • Well with the XG/Cyberoam, the IPsec tunnels have a button for "Active" and "Connection", the "Active" essentially means enable, the connection button connects the tunnel, which is the part that seems uncommon. The issues we have are that when a remote site looses Internet or power we have to log onto the firewall and click that connection button to bring the tunnel back up, we've beaten the issue to death with Cyberoam support over the last few years to no avail. It's funny to that it really only happens with XG to XG, a SonicWall at the remote office is fine since a SonicWall already tries to connect, it doesn't need manual intervention.
      Just today for instance, I have a tunnel to a hospital here, they use Cisco. The tunnel was down and to bring it back up I had to login to the firewall and click the connect button. There is a setting called "Action When Peer Unreachable" which is set to "Re-initiate" which doesn't work.
      It's strange because I don't see allot of people posting about it but we can't be the only ones. Again, I think the issue is how there tunnels work and the fact that they have a button to connect them (not enable, but connect). All the other devices I've seen don't have this.
      permalinkembedsaveparenteditdisable inbox repliesdeletereply
      • We have 20+ cyberoams installed and have always had that issue with the VPNs no matter what policy options we've tried. They flat out do not re-initiate reliably. I've just signed up as a fortinet partner (Australia) so I could evaluate (luckily did not have any problems with this as I went through the Ingram micro fortinet bdm). The next firewall I put in will be a fortinet, so hoping for a much better vpn implementation.
        permalinkembedsaveparentreportgive goldreply
        • Thank you for that, i'll be kicking it to our rep in terms like "if we see this issue, we're returning them and done with sophos".
          We had similar issues in a cisco RV120 ->fortigate (iirc) and there was basically a setting you had to use to tell it to keep the tunnel up even when idle


This thread was automatically locked due to age.
  • 0

    Hi,

    Before I test it, as per my experience in the past the Key Negotiation tries in the IPSec policy should be set to 0(unlimited). Can you please verify if the configuration and the value for renegotiation is set to 0.

  • 0 in reply to sachingurung

    sachingurung-

     

    I was optimistic with your comment as this setting has been left default on our devices and made perfect sense. Still an issue though, I have the setting set to 0 now and didn't help. Had a client let me know today their VPN was down all weekend, checked and confirmed it was disconnected, clicked the icon in the firewall to reconnect the VPN and it connected in seconds. 

  • 0 in reply to Dru DuBay

    I'm using IPSEC VPN site to site between XG 550 v16 and Watchguard. I can confirm that after rebooting Sophos XG the VPN is re-connected automatically. We had problems before but it was down to mismatch of IPSEC settings causing our VPN not to re-establish itself.

  • 0 in reply to Dru DuBay

    I forgot to mention it in my last suggestion, can you verify in the IPSec policy defined on both ends, if DPD is enabled.

    Next, delete the existing IPSec configuration and take SSH access to the XG and go to option 5. Device Console > 3. Advance Console and execute,

    service strongswan:restart -ds nosync.

    Finally, create a new IPSec policy between both the end and monitor the tunnels. If the tunnels still do not re-establish after a restart then DM me the charon.log. Refer to, Sophos Firewall: Where to find log files.

    Thanks

  • 0 in reply to sachingurung

    Hi ,

    we have the same problem with ipsec connections.

    Apparently the automatic rebuilding of tunnels does not work if it initiates only 1 side of the tunnel.

    Scenario:

    Location A - Initiator / Default Policy, Key Negotitation Tries = 0, DPD is activ
    Location B - Responder / Default Policy, Key Negotitation Tries = 0, DPD is actic

    Tunnel is being built -> Tunnel is up -> Location B is being restarted -> Tunnel goes down

    Location B restarts correctly and goes up, even the vpn tunnel button on the left t ist green but the tunnel does not come up. 

    From Location A the initiator does not start any connection attempts, we cant see anything in strongswan.log or via tcpdump


    Is this planned in terms of design or should it actually work?

     

    When we set the tunnel to initiate on both sides its working.

     

    Regards,

    Max

  • 0 in reply to mxull

    Hi Max,

    thank you for the clear description of the Scenario.

    Unknown said:

    Is this planned in terms of design or should it actually work?

    It should clearly work! But i know that it does not work -- as you described. We identified this as a bug and are tracking this in NC-25584

    Location A from your example should learn to try harder to reinitiate the tunnel, this will be addressed in MR3.

    The lack of motivation on Location A occurs if the tunnel is explicitly shut down from the responder side. This happens e.g. if the responder

    is restarted, as this involves a clean shutdown of IPSec.

    Best Regards,

  • 0 in reply to dna

    Is there a link to track NC-25584? This is still a huge issue for us to the point where our techs have stopped buying Cyberoam/Sophos XG firewalls. 

  • 0 in reply to Dru DuBay

    100% agree, this is BAD!

    I have new firewalls to deploy, all ready to go and v17 MR2 installed. One of them has 20 VPNs configured. What does Sophos want us to tell our clients? Sorry, we don't do VPNs right now?

     

    I'm hoping this is highest priority and will be fixed ASAP! These issues started with MR1 if not before. I can't believe that we're still talking about this.

  • 0 in reply to Bjoern Freiherr

    I recommend and use myself v16 MR-8 for productions IPSEC VPNs. 

  • 0 in reply to mxull

    FIXED IN 17.0.3 MR 3 !

     

    Regards,

    Max