Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 2 subscribers
  • Views 8393 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM Azure Site to Site VPN not working, connection is made but no data passes through

Alec Krohto1

I am hoping somebody can help with this issue. I have an Azure Site to Site VPN that has connected fine. However when I try to ping or use RDP on the remote network. It doesn't work. I am behind a firewall at my college that allows no ports through. Does UDP/500 need to be open. I am getting errors like "sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500" and "message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)". I have attached my configuration and a snippet of a log file from my UTM. 

Fullscreen LogFile.txt Download 
{\rtf1\ansi\ansicpg1252\cocoartf1671\cocoasubrtf100
{\fonttbl\f0\fmodern\fcharset0 Courier;}
{\colortbl;\red255\green255\blue255;\red0\green0\blue0;\red224\green223\blue220;}
{\*\expandedcolortbl;;\cssrgb\c0\c0\c0;\cssrgb\c90196\c89804\c89020;}
\margl1440\margr1440\vieww28600\viewh15460\viewkind0
\deftab720
\pard\pardeftab720\sl280\partightenfactor0

\f0\fs24 \cf2 \cb3 \expnd0\expndtw0\kerning0
\outl0\strokewidth0 \strokec2 2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="Dorm-to-Azure" address=\'93xx\'94 local_net="10.80.1.0/24" remote_net="10.20.1.0/24"\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: sent QI2, IPsec SA established \{ESP=>0x8f86e1c8 <0x1faa1fb4\}\
2018:12:12-23:10:47 krohtofw pluto[26798]: packet from xx:500: Informational Exchange is for an unknown (expired?) SA\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #249: sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)\
2018:12:12-23:10:47 krohtofw pluto[26798]: "S_Dorm-to-Azure" #250: sending encrypted notification INVALID_PAYLOAD_TYPE to xx:500\
}



This thread was automatically locked due to age.
Parents
  • 0

    Hi Alec,

    my first guess by VPN problems like this are the policies.
    Are the policies on both vpn gateways the same, especially phase 2 (IPSec)?

    Best Regards
    DKKDG

  • 0 in reply to DKKDG

    Yes they are. I followed the directions on setting up the policies with Azure correctly. 

  • 0 in reply to Alec Krohto1

    Alec, it's tricky setting up a IPsec tunnel between a UTM and Azure.  Let's try the following:

    1. Confirm that Debug is not enabled.
    2. Disable the IPsec Connection.
    3. Start the IPsec Live Log and wait for it to begin to populate.
    4. Enable the IPsec Connection.
    5. Show us about 60 lines from enabling through the error.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Alec Krohto1

    If there's any failure in the IPsec log, Alec, it would be after that, but I guess there won't be.

    If you don't get an idea to resolve this issue from The Azure problem, it's time to watch what's going on inside the tunnel.

    First, we need the REF_ of the tunnel:

    cc get_object_by_name ipsec_connection site_to_site 'Dorm-to-Azure'|grep \'ref

    Say that returns REF_IpsSitDormToAzure.  To watch the traffic in the tunnel:

    espdump -n --conn REF_IpsSitDormToAzure -vv

    Any new info from that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I am getting this error when running the espdump.

    krohtofw:/home/login # cc get_object_by_name ipsec_connection site_to_site 'Dorm-to-Azure'|grep \'ref

              'ref' => 'REF_IpsSitDormtoazur',

    krohtofw:/home/login #

    krohtofw:/home/login # espdump -n --conn REF_IpsSitDormtoazur -vv

    ERROR: no tunnel found for 'REF_IpsSitDormtoazur'

    krohtofw:/home/login # espdump -n --conn REF_IpsSitDormtoazur

    ERROR: no tunnel found for 'REF_IpsSitDormtoazur'

    krohtofw:/home/login #

  • 0 in reply to Alec Krohto1

    This indicates that there might be an error further on in the log.  Does the 'Site-to-site VPN Tunnel Status' show all IPsec SAs green when you're running the espdump?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Alec Krohto1

    This indicates that there might be an error further on in the log.  Does the 'Site-to-site VPN Tunnel Status' show all IPsec SAs green when you're running the espdump?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
Unfiltered HTML