IPSec VPN does not work for IOS devices after upgrade to 9.411-3

Hi Jesper,

Try uploading the previous backup on the UTM. 

Any help with that?

Thanks

Thanks for quick reply, we dont have this option, since we have made several changes since...

 

Any other options?

 

Regards

Jesper Hanno

Hi, Jesper, and welcome to the UTM Community!

Sachin's suggestion is the correct one.  Go to the 'Management' section, and you will see that you can review the changes made since the Up2Date.  That will allow you to easily repeat the changes if needed.

Before you restore the backup made just prior to the Up2Date, make another configuration backup.  If the restore "trick" doesn't solve your problem, just restore the newest backup.

Cheers - Bob

@Sachin's @BAlfson

What is this restore backup thing?

This is stupid. I have never restored a backup after an upgrade and it was never needed or useful. (In 15 Years Astaro/Sophos UTM)

 

You only need the backup when HW is completly down or upgrade or rebuild.

 

May

Thanks Bob, 

 

Are there any other options, are there changes in the latest update to IPSec VPN that could justify this behaviour. we would prefer to know whats going on if thats an option...

I tried to look at the syslog files, and on a device that having the problem we have

Facility: authpriv
Priority: warning
Tag: 2017:02:15-16:15:46 remote pluto[6267]
Message: "D_REF_IpsRoaForActivDirec_AaaUsexxxxxxx"[41] x.x.x.x:9853 #68: no suitable connection for peer 'C=xx, L=xxx, O=xxxxxx, CN=xxxxx, E=xxxxxxx@xxxxx.xx'

Regards

Jesper Hanno

Extra lines from the log: "D_REF_IpsRoaForActivDirec_AaaUsexxxxxxx"[41] x.x.x.x:9853 #68: no suitable connection for peer 'C=xx, L=xxxxxx, O=xxxxxx, CN=xxxxxx, E=xxxxxx@xxxxxx.xx' "D_REF_IpsRoaForActivDirec_AaaUsexxxxxxx"[41] x.x.x.x:9853 #68: sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:9853 packet from x.x.x.x:9853: ISAKMP version of ISAKMP Message has an unknown value: 80 packet from x.x.x.x:9853: sending notification INVALID_MAJOR_VERSION to x.x.x.x:9853 packet from x.x.x.x:9853: ISAKMP version of ISAKMP Message has an unknown value: 80 packet from x.x.x.x:9853: sending notification INVALID_MAJOR_VERSION to x.x.x.x:9853

Delete the IPsec Connection and the Remote Gateway it uses, Jesper, and then create them both anew.  Any luck with that?

If the restore "trick" doesn't help and this doesn't either, Support may tell you to re-image from ISO.  You should get a case open with them ASAP.

It sounds like this device is mission-critical enough that you should be running a Hot-Standby.

Cheers - Bob

Hi Mygyver,

In the most rear of cases, we discovered that restoring backup resolved the issue which was caused due to some minor backend changes after a firmware upgrade. 

It is a basic step which I would recommend to follow after a firmware upgrade in the v9. Once verified, we can get into the depth to troubleshoot the issue.

Cheers

Hi sachingurung ,

I have never heard about it in 15 years UTM. I think it is a bad idea to always recommend this after an minor update. (9.408 to 9.409)

It might be a good idea for a major update (9.3 to 9.4) or an Upgrade from (9 to 10). But even there it should not be the first thing to do. 

The software must not have problems with minor backend changes.

 

May

Let me try again..

It is all the Apple IOS Devices that have this problem, if we delete the configuration on the Apple IOS device and logging in the the portal and reconfigure the client it works, but we are not happy about informing all users to recreate their VPN again...

Regards

Jesper Hanno

Let me try again..

It is all the Apple IOS Devices that have this problem, if we delete the configuration on the Apple IOS device and logging in the the portal and reconfigure the client it works, but we are not happy about informing all users to recreate their VPN again...

Regards

Jesper Hanno

Is this  a problem with all iOS devices? Which version? 

I had several iOS VPN Problems, and they are an apple Problem, because they changed something.

How old are these iOS VPN installations, how old is your UTM installation. May be your VPN CA Certificate has an old MD5.

 

May

It seems like it all IOS devices, we have not found any that did work, and the Apple IOS device version is 10.2.1 (the latest)

The VPN installation/configuration is from October 15-20th 2016

 

Regards

Jesper Hanno

Sorry, in my last comment, I was thinking this was a site-to-site, but it's Remote Access.

Try deleting the IPsec Remote Access Rule and creating a new one identical to the old.  If that didn't work, I'm afraid you're stuck with the solution you already found.  The restore trick probably would fix this problem.

Cheers - Bob