Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 1262 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Abbrüche VPn ipSEC Tunnel (Checkpoint Firewall)

Alexander Spitzmacher

Hi,

wir haben einen Tunnel zu einer Checkpoint Firewall welcher auch immer stabil lief (zumindest gefühlt) Seit ein paar Wochen kommt es immer wieder zu Verbindungsabbrüchen. Aus dem Log entnehme ich folgende auffällige Meldungen:

 

2020:07:24-09:53:52 utm-1 pluto[18362]: | *received 152 bytes from XXX:500 on eth1
2020:07:24-09:53:52 utm-1 pluto[18362]: packet from XXX:500: ignoring Vendor ID payload [FRAGMENTATION]
2020:07:24-09:53:52 utm-1 pluto[18362]: packet from XXX:500: ignoring Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d5f1a9336...]
2020:07:24-09:53:52 utm-1 pluto[18362]: | preparse_isakmp_policy: peer requests PSK authentication
2020:07:24-09:53:52 utm-1 pluto[18362]: packet from XXX:500: initial Main Mode message received on YYYY:500 but no connection has been authorized with policy=PSK
2020:07:24-09:53:52 utm-1 pluto[18362]: | next event EVENT_SA_SYNC_UPDATE in 6 seconds
 
Desweiteren:
 
Kann mir jemand dazu einen Tip geben??
 


This thread was automatically locked due to age.
  • 0

    Desweiteren habe ich noch diesen Fehler:

     

    2020:07:24-10:37:51 utm-1 pluto[18362]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #50
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #50: responding to Quick Mode
    2020:07:24-10:37:51 utm-1 pluto[18362]: | kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
    2020:07:24-10:37:51 utm-1 pluto[18362]: | NAT-T: new mapping xxx:1044/500)
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #39: ERROR: netlink response for Add SA esp.1ab1295d@yyy included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #37: ERROR: netlink response for Add SA esp.d7baa6be@yyy included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #36: ERROR: netlink response for Add SA esp.30744739@yyy included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #35: ERROR: netlink response for Add SA esp.8feb7ba1@yyy included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #34: ERROR: netlink response for Add SA esp.f129f578@yyy included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #33: ERROR: netlink response for Add SA esp.4de44531@yyy included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #50: ERROR: netlink response for Add SA esp.57e9ebac@XXX included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #49: ERROR: netlink response for Add SA esp.9e59eb2b@XXX included errno 22: Invalid argument
    2020:07:24-10:37:51 utm-1 pluto[18362]: | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #50
    2020:07:24-10:37:51 utm-1 pluto[18362]: | next event EVENT_SA_SYNC_UPDATE in 7 seconds
     
     
     
     
    und
     
     
    2020:07:24-10:40:42 utm-1 pluto[18362]: "S_ABC-IPsec Tunnel" #32: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xd2bb8bb7 (perhaps this is a duplicated packet)
    2020:07:24-10:40:42 utm-1 pluto[18362]: "S-ABC-IPsec Tunnel" #32: sending encrypted notification INVALID_MESSAGE_ID to YYY:500
  • 0 in reply to Alexander Spitzmacher

    Hallo Alexander,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    My first guess is that there's a NAT in front of the External interface.  If that's the case, show us a picture of the 'Preshared Key Settings' on the 'Advanced' tab'

    If that's not the case, please show us pictures of the Edits of the IPsec Connection and the Remote Gateway along with a picture of the corresponding settings on the CheckPoint.  Then,

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Copy here about 60 lines from enabling through the error.

    If you prefer, obfuscate IPs like 84.XX.YY.121, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML