Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 34 subscribers
  • Views 39386 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re-initiate Reliability | What is wrong with Site-to-Site IPsec VPN's and When will it be fixed??

Dru DuBay

I'm posting here to see if I can find other with the same issue. We've used Cyberoam's for 5+ years and now have some XG's at clients. The site to site VPN is broken, we worked over and over again with Cyberoam, and now with Sophos, nothing changes. The VPN's do not re-initiate reliably. If I have a Cyberoam/XG at my main office and one at the remote office, if the power or Internet goes down at the branch or main the VPN does not re-establish until I manually click the connect button on the firewall. If there's a SonicWall at the branch it's solid becuase the SonicWall is always trying to connect if it isn't, there is no button to connect or disconnect, just to enable or disable. We see the same thing with Fortinet to XG. 

 

It's crazy that the VPN doesn't work going from XG to XG. It's to the point now where my office has lost confidence in the device and is moving over to Fortinet, or anything else really. I also have IPsec tunnels to Cisco firewalls that don't work. Below is from a post I made on Reddit in the MSP community, I removed usernames. 

 

  • What is the issue/specifics on the VPNs? we're looking at rolling 3 XGs out to a customer with 3 locations in one city shortly and would like to avoid/watch for/work around this.
    permalinkembedsavereportgive goldreply
    • Well with the XG/Cyberoam, the IPsec tunnels have a button for "Active" and "Connection", the "Active" essentially means enable, the connection button connects the tunnel, which is the part that seems uncommon. The issues we have are that when a remote site looses Internet or power we have to log onto the firewall and click that connection button to bring the tunnel back up, we've beaten the issue to death with Cyberoam support over the last few years to no avail. It's funny to that it really only happens with XG to XG, a SonicWall at the remote office is fine since a SonicWall already tries to connect, it doesn't need manual intervention.
      Just today for instance, I have a tunnel to a hospital here, they use Cisco. The tunnel was down and to bring it back up I had to login to the firewall and click the connect button. There is a setting called "Action When Peer Unreachable" which is set to "Re-initiate" which doesn't work.
      It's strange because I don't see allot of people posting about it but we can't be the only ones. Again, I think the issue is how there tunnels work and the fact that they have a button to connect them (not enable, but connect). All the other devices I've seen don't have this.
      permalinkembedsaveparenteditdisable inbox repliesdeletereply
      • We have 20+ cyberoams installed and have always had that issue with the VPNs no matter what policy options we've tried. They flat out do not re-initiate reliably. I've just signed up as a fortinet partner (Australia) so I could evaluate (luckily did not have any problems with this as I went through the Ingram micro fortinet bdm). The next firewall I put in will be a fortinet, so hoping for a much better vpn implementation.
        permalinkembedsaveparentreportgive goldreply
        • Thank you for that, i'll be kicking it to our rep in terms like "if we see this issue, we're returning them and done with sophos".
          We had similar issues in a cisco RV120 ->fortigate (iirc) and there was basically a setting you had to use to tell it to keep the tunnel up even when idle


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Before I test it, as per my experience in the past the Key Negotiation tries in the IPSec policy should be set to 0(unlimited). Can you please verify if the configuration and the value for renegotiation is set to 0.

  • 0 in reply to sachingurung

    sachingurung-

     

    I was optimistic with your comment as this setting has been left default on our devices and made perfect sense. Still an issue though, I have the setting set to 0 now and didn't help. Had a client let me know today their VPN was down all weekend, checked and confirmed it was disconnected, clicked the icon in the firewall to reconnect the VPN and it connected in seconds. 

  • 0 in reply to sachingurung

    Hi ,

    we have the same problem with ipsec connections.

    Apparently the automatic rebuilding of tunnels does not work if it initiates only 1 side of the tunnel.

    Scenario:

    Location A - Initiator / Default Policy, Key Negotitation Tries = 0, DPD is activ
    Location B - Responder / Default Policy, Key Negotitation Tries = 0, DPD is actic

    Tunnel is being built -> Tunnel is up -> Location B is being restarted -> Tunnel goes down

    Location B restarts correctly and goes up, even the vpn tunnel button on the left t ist green but the tunnel does not come up. 

    From Location A the initiator does not start any connection attempts, we cant see anything in strongswan.log or via tcpdump


    Is this planned in terms of design or should it actually work?

     

    When we set the tunnel to initiate on both sides its working.

     

    Regards,

    Max

  • 0 in reply to mxull

    Hi Max,

    thank you for the clear description of the Scenario.

    Unknown said:

    Is this planned in terms of design or should it actually work?

    It should clearly work! But i know that it does not work -- as you described. We identified this as a bug and are tracking this in NC-25584

    Location A from your example should learn to try harder to reinitiate the tunnel, this will be addressed in MR3.

    The lack of motivation on Location A occurs if the tunnel is explicitly shut down from the responder side. This happens e.g. if the responder

    is restarted, as this involves a clean shutdown of IPSec.

    Best Regards,

  • 0 in reply to dna

    Is there a link to track NC-25584? This is still a huge issue for us to the point where our techs have stopped buying Cyberoam/Sophos XG firewalls. 

  • 0 in reply to Dru DuBay

    100% agree, this is BAD!

    I have new firewalls to deploy, all ready to go and v17 MR2 installed. One of them has 20 VPNs configured. What does Sophos want us to tell our clients? Sorry, we don't do VPNs right now?

     

    I'm hoping this is highest priority and will be fixed ASAP! These issues started with MR1 if not before. I can't believe that we're still talking about this.

  • 0 in reply to Bjoern Freiherr

    I recommend and use myself v16 MR-8 for productions IPSEC VPNs. 

  • 0 in reply to mxull

    FIXED IN 17.0.3 MR 3 !

     

    Regards,

    Max

  • 0 in reply to mxull

    Are there some patch notes about the fix? I'm reluctant to believe this issue is finally fixed after years. 

  • 0 in reply to Dru DuBay

    I've had no weird disconnects so far since MR3 install. Haven't seen any technical details about the issue or fix yet.

  • 0 in reply to Bjoern Freiherr

    I am on MR3 and still seeing this issue. I have really enjoyed Sophos for the most part, but I agree with others here. This is unacceptable. We are a partner but we are discussing moving to another firewall vendor, because without reliable tunnels the equipment is essentially useless. 

  • 0 in reply to Joe Plunkett

    Hi Joseph,

    Have you checked out the recommended settings for IPSec in v17 here? Alongside, please PM me details about the issues with your IPSec setup and I will try to help.

    Thanks

Reply Children
  • 0 in reply to sachingurung

    As you are connecting XG-XG is there any reason not to use RED?  We have XGs and UTMs and were using IPSEC but when the problems started we rebuilt them as RED and the reliability and performance of the tunnels is far better and no longer causes issues.  It is also much easier to manage as essentially 'it just works'

     

    Cheers,

     

    Charles

  • 0 in reply to sachingurung

    Sachingurung, 

     

    It has been a while since I posted this so I though I would update. After spending several days on the phone with support troubleshooting these issues we seemed to resolve the issues. 

    Basically all of the settings for the tunnels need to be just right for it to work. Most importantly, the DPD settings must be configured in a specific way. Once side of DPD must be set to "disconnect" while the other is set to connect. There is a bug where DPD will attempt to constantly reconnect and get stuck in a loop without ever really tearing down the initial tunnel. With the new settings I have had stable tunnels for about a month now.