Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 1588 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN drops frequently to Cisco ASA5505

mrainey
I have a Sophos 220 that is connected to several branch offices over Site to Site ipsec connections. 3 of the offices are other Sophos/Astaro devices and 3 use Cisco ASA 5505's. After I updated to 9.103-5, 2 of the Cisco offices started dropping the connection every hour or so.

In the live log I see this message when the connection drops:
ODESSA RZL" #1074: DPD: Could not find newest phase 1 state
2013:07:15-12:49:42 HotardNO pluto[6720]: "S_RZL NO 2 ODESSA RZL" #1074: DPD: No response from peer - declaring peer dead
2013:07:15-12:49:42 HotardNO pluto[6720]: "S_RZL NO 2 ODESSA RZL" #1074: DPD: Restarting all connections of peer
2013:07:15-12:49:42 HotardNO pluto[6720]: "S_RZL NO 2 ODESSA RZL" #1074: DPD: Terminating all SAs using this connection

These connections never dropped before doing the update and the connection to the 3rd Cisco seems to remain stable.


This thread was automatically locked due to age.
Parents
  • 0
    Mike, have you tried deleting the IPsec Connection and Remote Gateway definitions and then re-creating them?  If I were to guess, you have a policy with PFS and a lifetime of 3600, and something got mangled in the config.  The other thing I would try is another reboot - maybe something to try after hours.

    Cheers - Bob
Reply
  • 0
    Mike, have you tried deleting the IPsec Connection and Remote Gateway definitions and then re-creating them?  If I were to guess, you have a policy with PFS and a lifetime of 3600, and something got mangled in the config.  The other thing I would try is another reboot - maybe something to try after hours.

    Cheers - Bob
Children
No Data