Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 1 subscriber
  • Views 31063 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec issue since upgrading to 9.304

James Shakour
So I upgraded to 9.304-9 over the weekend and since then, four of my IPSec tunnels are flapping at random. 

I opened a ticket and apparently I am the second client to have this issue since upgrading.  

The issue is this.....

the tunnels are up but cannot make the round trip from UTM to UTM. 

As the ticket gets worked ill be sure to update you guys.


This thread was automatically locked due to age.
  • 0
    Haven't seen that (we have not recommended any of our clients upgrade to 9.304 in production yet) but in testing have found that XAUTH for IPSEC appears to be broken as well.. getting some weird log entries on that... I have a case opened with Sophos Support on that issue.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    Sophos told me to upgrade when I was experiencing an issue with email. 

    ggrrrrr......
  • 0 in reply to James Shakour
    Actually have found that remote access IPSEC is now completely flaky... not working with XAUTH turned off either... might have something to do with the system running HA.. I guess...

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0
    No problem here with 5 ipsec tunnels to sonicwall and 1 to sg 125 both on 9.304 firmware. No HA though
  • 0
    Out of 26 sites 23 are HA and 3 are clustered.
  • 0 in reply to James Shakour
    That may be the issue -- our test setup is flaky (now it sometimes works, sometimes it doesn't), and it's an HA setup... getting weird messages in the logs that I'm not used to seeing for IPSEC.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Just an update on the issue I was seeing --- I did some troubleshooting on my own, found that the issue was a problem with Sophos UTM Wireless Protection (AP10 in this case, configured wlan as a Separate Zone) passing IPSEC traffic correctly, so really a Wireless issue (introduced by a 9.304 update too).  The VPN connection I use works just fine from other wifi or tethered 3g/4g connections.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    JShakour, check out update 9.305 that was just released; there's a mention of a fix for incorrect IPSEC "package" routing in Cluster setups.  Not sure if this applies to your case.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Got the same issue, since upgrading I've not been able to connect.

    Out of the Three UTM's we have, only one has been offered the latest patch, might manually push it to the others and see what happens...
  • 0 in reply to lms87
    Nope. Still not working.

    PPTP / L2TP using Cert working fine.

    Version of UTM now @ 

    Firmware version:       9.305-4
    Pattern version: 72157

    2014:12:17-20:07:01 UTM pluto[6749]: packet from MOB-IP:8683: received Vendor ID payload [XAUTH]
    2014:12:17-20:07:01 UTM pluto[6749]: packet from MOB-IP:8683: ignoring Vendor ID payload [Cisco-Unity]
    2014:12:17-20:07:01 UTM pluto[6749]: packet from MOB-IP:8683: ignoring Vendor ID payload [FRAGMENTATION 80000000]
    2014:12:17-20:07:01 UTM pluto[6749]: packet from MOB-IP:8683: received Vendor ID payload [Dead Peer Detection]
    2014:12:17-20:07:01 UTM pluto[6749]: "D_for Active Directory Users to Any-0"[2] MOB-IP:8683 #2: responding to Main Mode from unknown peer MOB-IP:8683
    2014:12:17-20:07:02 UTM pluto[6749]: "D_for Active Directory Users to Any-0"[2] MOB-IP:8683 #2: NAT-Traversal: Result using RFC 3947: peer is NATed
    2014:12:17-20:07:12 UTM pluto[6749]: packet from MOB-IP:60659: ISAKMP version of ISAKMP Message has an unknown value: 145
    2014:12:17-20:07:12 UTM pluto[6749]: packet from MOB-IP:60659: sending notification INVALID_MAJOR_VERSION to MOB-IP:60659
    2014:12:17-20:07:12 UTM pluto[6749]: packet from MOB-IP:60659: ISAKMP version of ISAKMP Message has an unknown value: 145
    2014:12:17-20:07:12 UTM pluto[6749]: packet from MOB-IP:60659: sending notification INVALID_MAJOR_VERSION to MOB-IP:60659
    2014:12:17-20:07:32 UTM pluto[6749]: ERROR: asynchronous network error report on ppp0 for message to MOB-IP port 8683, complainant MOB-IP: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Unfiltered HTML