Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 3423 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem mit IPSEC S2S Verbindungsabbrüchen

Leo-le

Hallo Forum,

einer meiner VPN S2S-Verbindungen bricht immer wieder sporadisch zusammen. ( Sophos UTM 9 neuste Formware)

Das Log zeigt mir folgendes:

2019:10:30-06:37:59 sophos-proxy-2 pluto[21082]: "S_xx S2S" #19: sent QI2, IPsec SA established {ESP=>0x31977f1b <0x64f59442}
2019:10:30-07:31:03 sophos-proxy-2 pluto[21082]: "S_xx S2S" #20: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #19 {using isakmp#1}
2019:10:30-07:31:03 sophos-proxy-2 pluto[21082]: "S_xx S2S" #20: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2019:10:30-07:31:03 sophos-proxy-2 pluto[21082]: "S_xx S2S" #20: sent QI2, IPsec SA established {ESP=>0xd02fc721 <0x32234c6c}
2019:10:30-08:19:56 sophos-proxy-2 pluto[21082]: "S_xx S2S" #21: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #20 {using isakmp#1}
2019:10:30-08:19:56 sophos-proxy-2 pluto[21082]: "S_xx S2S" #21: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2019:10:30-08:19:56 sophos-proxy-2 pluto[21082]: "S_xx S2S" #21: sent QI2, IPsec SA established {ESP=>0xbf64436f <0x7335bc7d}
2019:10:30-09:14:08 sophos-proxy-2 pluto[21082]: "S_xx S2S" #22: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #21 {using isakmp#1}
2019:10:30-09:14:08 sophos-proxy-2 pluto[21082]: "S_xx S2S" #22: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
2019:10:30-09:14:08 sophos-proxy-2 pluto[21082]: "S_xx S2S" #22: sent QI2, IPsec SA established {ESP=>0xa272c594 <0x9f5cc3d0}
2019:10:30-10:06:17 sophos-proxy-2 pluto[21082]: "S_xx S2S" #23: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #22 {using isakmp#1}
2019:10:30-10:06:17 sophos-proxy-2 pluto[21082]: packet from 195.8.xx.xx:500: ignoring Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d5db95289...]
2019:10:30-10:06:17 sophos-proxy-2 pluto[21082]: packet from 195.8.xx.xx:500: ignoring Vendor ID payload [FRAGMENTATION]
2019:10:30-10:06:17 sophos-proxy-2 pluto[21082]: "S_xx S2S" #24: responding to Main Mode
2019:10:30-10:06:17 sophos-proxy-2 pluto[21082]: "S_xx S2S" #24: Peer ID is ID_IPV4_ADDR: '195.8.xx.xx'
2019:10:30-10:06:17 sophos-proxy-2 pluto[21082]: "S_xx S2S" #24: sent MR3, ISAKMP SA established
2019:10:30-10:06:17 sophos-proxy-2 pluto[21082]: "S_xx S2S" #24: received Delete SA payload: deleting ISAKMP State #1
2019:10:30-10:17:28 sophos-proxy-1 pluto[31927]: "S_xx S2S" #22: IPsec SA expired (LATEST!)
2019:10:30-10:17:28 sophos-proxy-1 pluto[31927]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="xx S2S" address="xx.xx.xx.xx" local_net="192.168.xx.0/24" remote_net="172.xx.0.0/16"
2019:10:30-10:17:28 sophos-proxy-2 pluto[21082]: "S_xx S2S" #22: IPsec SA expired (LATEST!)
2019:10:30-10:17:28 sophos-proxy-2 pluto[21082]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="xx S2S" address="xx.xx.xx.xx" local_net="192.168.xx.0/24" remote_net="172.xx.0.0/16"
 
 
Vielleicht kann mir jemand etwas dazu sagen?
Vielen Dank im Voraus!


This thread was automatically locked due to age.
  • 0

    Hallo Robert,

    ich würde einmal darauf tippen wollen, dass dies aus unterschiedlichen Einstellungen der Lebensdauer auf beiden Seiten der Verbindung beruht. 

    IPsec SA expired

    Btw. welche ist denn neuste Firmware? Via Up2date unterscheidet sich dies durchaus.

     

    Beste Grüße

    Alex

    -

  • 0 in reply to Alexander Busch

    Hallo Alex, 

     

    besten Dank für deine Antwort.

    Firmware: 9.605-1

    Timings auf CheckPoint( Gegenstelle): IKE SA lifetime : 1440min IPSEC: 3800 sec

    Timings Sophos:  IKE: 86400 sec IPSEC: 3800 sec

     

    Das sollte ja so passen oder?

     

    Vielen Dank und Grüße

    Leo

  • 0 in reply to Leo-le

    Hallo Leo,

    Herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment.)

    I was sure that Alex had the solution, but 1440min = 86400sec.

    Is DPD enabled on both sides? 

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Leo-le

    Ich muss mal in solch ein log bei mir schauen, aber die Zeile

     #22: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME

    finde ich etwas irritierend. (Oder der Begriff verwirrt mich jetzt) Hast Du mal andere Werte versucht? Gibt es ggf. auf der Seite der CheckPoint auch ein Log?

    -

  • 0 in reply to Alexander Busch

    Thanks for insisting Alex.  I've not seen an IPsec lifetime of 3800 before.

    Leo, I think you should ask for a picture of the IPsec Policy in the Checkpoint.  I bet the timeout there is 3600.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ich habe mir ein Screenshot zeigen lassen und ja, es stehen tatsächlich 3600 statt 3800. Ich habe jetzt den Wert geändert und prüfe dies mal 2 Tage.

    Vielen Dank an Euch schon mal!

  • 0 in reply to BAlfson

    Hallo ALex, hallo Bob,

     

    leider brach nun auch diese Verbindung vorhin zusammen, hier das Log dazu:

    #58 {using isakmp#30}
    2019:11:02-15:57:22 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #59: sent QI2, IPsec SA established {ESP=>0xffab525f <0xcd2cea24}
    2019:11:02-16:45:14 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #60: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #59 {using isakmp#30}
    2019:11:02-16:45:14 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #60: sent QI2, IPsec SA established {ESP=>0x8a5cbcf2 <0xacab58a6}
    2019:11:02-17:35:40 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #61: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #60 {using isakmp#30}
    2019:11:02-17:35:40 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #61: sent QI2, IPsec SA established {ESP=>0xa1441ec8 <0xdc945d8f}
    2019:11:02-18:19:25 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: initiating Main Mode to replace #30
    2019:11:02-18:19:25 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: ignoring Vendor ID payload [FRAGMENTATION]
    2019:11:02-18:19:25 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: Peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'
    2019:11:02-18:19:25 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: ISAKMP SA established
    2019:11:02-18:19:27 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:29 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:31 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:33 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:35 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:37 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:41 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:45 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:49 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:53 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:19:57 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #62: discarding duplicate packet; already STATE_MAIN_I4
    2019:11:02-18:26:30 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #63: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #61 {using isakmp#62}
    2019:11:02-18:26:30 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #30: received Delete SA payload: deleting ISAKMP State #62
    2019:11:02-18:35:40 sophos-proxy-1 pluto[31927]: "S_REF_IpsSitxxxS2s_0" #61: IPsec SA expired (LATEST!)
    2019:11:02-18:35:40 sophos-proxy-2 pluto[21082]: "S_REF_IpsSitxxxS2s_0" #61: IPsec SA expired (LATEST!)
    2019:11:02-18:35:40 sophos-proxy-1 pluto[31927]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitxxxS2s" address="xx.xx.xx.xx" local_net="xx.xx.xx.xx/32" remote_net="xx.xx.xx.xx/16"
    2019:11:02-18:35:40 sophos-proxy-2 pluto[21082]: id="2204" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN down" variant="ipsec" connection="REF_IpsSitxxxS2s" address="xx.xx.xx.xx" local_net="xx.xx.xx.xx/32" remote_net="xx.xx.xx.xx/16"

     

     

    Vielleicht habt Ihr noch eine Idee? Vielen Dank an Euch!

  • 0 in reply to Leo-le

    Hallo Leo,

    Let's all look at pictures of the configuration on both sides.  Also, did we confirm that DPD is enabled on both sides?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hallo Bob,

     

    ich warte immer noch auf die policy der Gegenseite, ich melde mich sobald ich die Info bekomme.

     

    Vielen Dank und Grüße

    Leo

  • 0 in reply to BAlfson

    Hallo, wir konnten nun endlich die Daten austauschen.

    Wo kann ich bei der Sophos IKEv1 und IKEv2 aktivieren?

    Vielen Dank und Grüße

    Robert

Unfiltered HTML