Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 36 subscribers
  • Views 32860 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN on firmware 17.01 error parsin IKE message ?

Heiber Bustos

HI, experts !!

after upgrade firmware 17.00 and MR 17.01, get this error on VPN site to site

 

 

messageid="18052" log_type="Event" log_component="IPSec" log_subtype="System" status="Failed" user="" con_name="" con_type="0" src_ip="" gw_ip="" local_network="" dst_ip="" remote_network="" additional_information="" message="parsing IKE message from REMOTE_HOST[500] failed"

 

packet capture

Encabezado Ethernet
Dirección MAC de origen:04:b0
Dirección MAC de destino: 08:35:
Tipo de Ethernet IPv4 (0x800)
 
IPv4 Encabezado
Dirección IP de origen:REMOTE_HOST
Dirección IP de destino:WAN_IP_UTM
Protocolo: UDP
Encabezado:20 Bytes
Tipo de servicio: 0
Longitud total: 120 Bytes
Identificación:0
Desfase fragmento:16384
Tiempo de vida: 58
Suma de verificación: 41198
 
UDP Encabezado:
Puerto origen:500
Puerto destino: 500
Longitud: 100
Suma de verificación: 43859

 

 

help me !!

 

thanks



This thread was automatically locked due to age.
Parents
  • +1

    well, this happen.

     

    for IPsec vpn, 3DES and SHA1 "now" is insecure!!!

    that is indicated by the UTM in the police config.

    I create new police whit the same config, and sorprice VPN UP.

     

    realy don't know what happen!!

     

     

  • 0 in reply to Heiber Bustos

    I'm seeing the exact same error. Slightly different symptom for me. I have 4 site to site tunnels, only seeing this issue/error message on one of them, even though they all have sha1 as an option. But for me the tunnel will connect, but after a period of time (seems to be about 20 hours, but can vary drastically) it will drop and will not reestablish until someone manually deactivates and activates it again. It's been a huge pain because our company operates 24/7, but our IT department "technically" only works normal business hours. So this has meant someone has had to get in in the middle of the night most days since we installed MR1 to restart the VPN. Glad I came across this, I'm going to try recreating the policy and see if that changes anything.

  • 0 in reply to RyanDonohue

    We have the same error as you where the components of the tunnel drop but the overall link still thinks it is up on a tunnel that connects two 17.0.1 XGs, when one was on 16.5.7 it was okay.  We are however using SHA2 256 but still IKEv1  With the new tunnel that was created did you use IKEv2 as that is what I was going to try?

  • 0 in reply to CMR

    I'm also facing the same issue since I've upgraded to Firmware17. Raised ticket with Sophos support, they suggested to upgrade to 17.0.3 MR-3, did that, the condition have worsened more. Every 1 Hr the IPSec is going down. Been following up with support they are still observing the issue from last 7 days without response and update.

     

    My other end is third party vendor and they are using Cisco at their end. Any help or suggestion would be a big help.

  • 0 in reply to Ajay Sharma1

    Hi Ajay,

     

    could you please PM me the support ticket number. Lets see how we can get it working.

     

    Regards,

  • 0 in reply to dna

    Hello,

     

    we are facing the Same issue and our Ticket with Critical Priority was opened in December.

     

    Still this issue not resolved. Yesterday we Upgraded to MR3 and thing get worse. After a couple of hour our 12 VPN Tunnels begin to flap they are connecting and disconnecting every second.

     

    We tried to recreate the Tunnels that helped on a XG210 but in our HQ is a XG310 and this workaround didn´t helped.

     

    Es getting worse, we then Downgraded back to MR1 and see there it seems like we have transported this Bug now from MR3 to MR1. Now the VPN are Flapping there every second and are just unstable and down all the time.

     

    We restored the Config that we made on MR1 before the Upgrade to MR3 that didnt helped either.

     

    We thought to try the MR2 but we cant download it on Sophos Support Portal. There is only the MR3...

     

    We are realy dissapointed about Sophos and especially about Sophos Support. I wish we have choosen another Vendor for our Firewall Migration Project.

     

    We have ongoing Problem with XG since October as we started the Project. All that Support can say. Ohh the Logs are deletet we cant see much and please upgrade to the newer version.

     

    Very poor Guys, realy.

  • 0 in reply to dna

    Will provide you in DM. Though the same is been escalated to GES Team of Sophos for further testing and check.

     

  • 0 in reply to Ajay Sharma1

    We have very similar issue, upgraded from v16, which was running rock solid to v17mr3 and "party" has started :) . Out VPN tunnels are up and down. And sometimes we can't even log in to Sophos web site, we need to get via ssh into it and do reboot -f. Support is checking now. Will see what he will find.

     

  • 0 in reply to Tadas A

    Yeah my 230XG too hung up, and it didnt even restrated from SSH, support tried everything but then I had to give it a hard boot, the Client I work for is not ready for a single  minute's downtime. It seems V17.03MR-3 had been  a nightmare for all. With me the Support team is working and GES Team is looking after it.

Reply
  • 0 in reply to Tadas A

    Yeah my 230XG too hung up, and it didnt even restrated from SSH, support tried everything but then I had to give it a hard boot, the Client I work for is not ready for a single  minute's downtime. It seems V17.03MR-3 had been  a nightmare for all. With me the Support team is working and GES Team is looking after it.

Children
No Data