Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 31 subscribers
  • Views 14881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CISCO VPN broken after XG 17 release

AdamMickiewicz

After upgrading to XG17, I am facing with a problem with CISCO VPN. 

It is configured with using pre-shared key and my clients are iOS devices.

Initially, it works, but after a few hours it is not possible to connect to the server. 

Disabling and re-enabling Cisco VPN Client in General Settings tab makes the connection working again, but also only for a few hours.

When the connectivity is broken, I see following entries in the log:

2017-12-13 04:00:00 08[KNL] interface Port2_ppp deactivated
2017-12-13 04:00:00 12[KNL] 79.191.97.143 disappeared from Port2_ppp
2017-12-13 04:00:00 05[KNL] interface Port2_ppp deleted
2017-12-13 04:00:01 11[KNL] 79.191.148.228 appeared on Port2_ppp
2017-12-13 04:00:01 08[KNL] 79.191.148.228 disappeared from Port2_ppp
2017-12-13 04:00:01 15[KNL] 79.191.148.228 appeared on Port2_ppp
2017-12-13 04:00:01 14[KNL] interface Port2_ppp activated
2017-12-13 04:00:02 14[CFG] rereading secrets
2017-12-13 04:00:02 14[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
2017-12-13 04:00:02 14[CFG] loading secrets from '/_conf/ipsec/connections/CISCOVPN.secrets'
2017-12-13 04:00:02 14[CFG] loaded IKE secret for 79.191.97.143 %any
2017-12-13 04:00:02 13[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
2017-12-13 08:51:40 05[NET] <14> received packet: from 37.47.8.201[15003] to 79.191.148.228[500] (848 bytes)
2017-12-13 08:51:40 05[ENC] <14> parsed ID_PROT request 0 [ SA V V V V V V V V V V V V V V ]
2017-12-13 08:51:40 05[IKE] <14> no IKE config found for 79.191.148.228...37.47.8.201, sending NO_PROPOSAL_CHOSEN
2017-12-13 08:51:40 05[ENC] <14> generating INFORMATIONAL_V1 request 4248552094 [ N(NO_PROP) ]
2017-12-13 08:51:40 05[NET] <14> sending packet: from 79.191.148.228[500] to 37.47.8.201[15003] (40 bytes)

I suspect that it may be related to this that I have dynamically assigned public IP, which is being renewed every 24hrs by my internet provider. Above log shows the moment of the IP renewal, and that after connecting to VPN server was not possible. 

Please see the entry 2017-12-13 04:00:02 14[CFG] loaded IKE secret for 79.191.97.143 %any 

The IP 79.191.97.143 is the old IP address on ppp interface. The newly assigned is 79.191.148.228

I think it is a bug in this firmware.



This thread was automatically locked due to age.
  • 0

    AdamMickiewicz said:
    After upgrading to XG17, I am facing with a problem with CISCO VPN. 

    May i ask which version of v17 you are running? v17MR2 contains fixes related to IPSec with dynamic WAN interfaces that may be relevant in this case.

  • 0 in reply to dna

    Yes, I am running MR2

    Sophos Firmware Version SFOS 17.0.2 MR-2

    console> system diagnostics show version-info

    Serial Number: C01001CWCX8KH3F
    Device-Id: ffc61df1-8ddf-406e-8a75-00c7e1cd3db9
    Appliance Model: SFVH
    Firmware Version: SFOS 17.0.2 MR-2
    Firmware Build: 116
    Firmware Loader version: 0x00000006
    HW version: SO01
    Config DB version: 17.107
    Signature DB version: 17.107
    Report DB version: 17.107
    Webcat Signature version: 0.0.2.47
    Web Proxy version: HTTP-Proxy.b167be6e9
    SMTP Proxy version: 1.0
    POP/IMAP Proxy version: 1.0.0.3.4
    Logging Daemon version: 0.0.0.17
    AP Firmware: 9.0.001
    ATP: 1.0.0171
    Avira AV: 1.0.21525
    Authentication Clients: 1.0.0008
    IPS and Application signatures: 3.14.34
    RED Firmware: 2.0.008
    Sophos AV: 1.0.11905
    SSLVPN Clients: 1.0.007
    WAF: 1.0.0006
    Hot Fix version: N.A

  • 0 in reply to AdamMickiewicz

    get this issue logged with technical support and let us know the outcome

  • 0 in reply to lukg

    Full log from most recent IP change on ppp interface below. Highlighted lines confirming that old IP is used instead of the new one. I think this confirms the issue. In case you need debug logging, let me know.

    2017-12-14 04:00:00 16[KNL] interface Port2_ppp deactivated
    2017-12-14 04:00:00 07[KNL] 79.191.148.228 disappeared from Port2_ppp
    2017-12-14 04:00:00 13[KNL] interface Port2_ppp deleted
    2017-12-14 04:00:01 13[KNL] 83.6.77.97 appeared on Port2_ppp
    2017-12-14 04:00:01 05[KNL] 83.6.77.97 disappeared from Port2_ppp
    2017-12-14 04:00:01 10[KNL] 83.6.77.97 appeared on Port2_ppp
    2017-12-14 04:00:01 14[KNL] interface Port2_ppp activated
    2017-12-14 04:00:01 08[CFG] rereading secrets
    2017-12-14 04:00:01 08[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2017-12-14 04:00:01 08[CFG] loading secrets from '/_conf/ipsec/connections/CISCOVPN.secrets'
    2017-12-14 04:00:01 08[CFG] loaded IKE secret for 79.191.148.228 %any
    2017-12-14 04:00:01 06[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'
    2017-12-14 04:00:01 13[CFG] received stroke: delete connection 'CISCOVPN-1'
    2017-12-14 04:00:01 13[CFG] deleted connection 'CISCOVPN-1'
    2017-12-14 04:00:01 05[CFG] received stroke: add connection 'CISCOVPN-1'
    2017-12-14 04:00:01 05[CFG] left nor right host is our side, assuming left=local
    2017-12-14 04:00:01 05[CFG] added configuration 'CISCOVPN-1'
    2017-12-14 04:00:03 05[CFG] rereading secrets
    2017-12-14 04:00:03 05[CFG] loading secrets from '/_conf/ipsec/ipsec.secrets'
    2017-12-14 04:00:03 05[CFG] loading secrets from '/_conf/ipsec/connections/CISCOVPN.secrets'
    2017-12-14 04:00:03 05[CFG] loaded IKE secret for 79.191.148.228 %any
    2017-12-14 04:00:03 10[CFG] rereading ca certificates from '/_conf/ipsec/ipsec.d/cacerts'

  • 0

    Any updates on this?  I have the same Problem. It still persists in MR3. Very annoying...

  • 0 in reply to AdamMickiewicz

    Sorry for the late response Adam,

    AdamMickiewicz said:
    In case you need debug logging, let me know.

    Please PM me the debug logs if possible. Otherwise via email.

    We are currently verifying if and what kind of problem is present in relation to dynamic WAN links and IPsec.

  • 0 in reply to dna

    I am sorry dna but I had to change my configuration to resolve the issue at least by workaround, and I am unable to share logs right now.

    I basically switched my VDSL modem from bridge to router mode and now the modem establishes the WAN link with my network provider and gets dynamic IP instead of XG firewall.

    Certainly this required assigning also a static IP for the modem on its LAN interface and assigning static IP on the WAN interface of XG firewall.

    As the XG has now static IP on the WAN interface - the problem is resolved. Certainly this means that I have double NATed connection now, which is maybe not very convenient with regards to port forwarding, but also is not a big issue for me. At least my VPN works ok :)

    Basically it looks now like below:

    <WAN: public IP, assigned dynamically -> VDSL MODEM (PPPoE) <IP: 192.168.10.10/24 -> <- WAN interface: IP 192.168.10.1/24, gateway: 192.168.10.10> XG Firewall  <LAN interface: 192.168.1.1/24 -> LAN switch

  • 0 in reply to AdamMickiewicz

     thanks for the feedback anyways, i'll update this thread when i can tell more about the fate of the problem.

  • 0 in reply to dna

    The issue of IPsec/Cisco/L2TP VPN together with pppoe will be addressed via NC-26582 in v17 MR-5.

    Thanks Adam for the clear analysis of the problem.