Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 5621 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site 2 Site IPSec VPN - UTM220 to AVM

DBP
Hello,

after 3 Months of perfect working (9.212-3) our UTM220 decide to stop working on 2 IPSec Tunnels with dynamic IP aDSL ISP.

A Update to 9.310-11 doesnt fix it.


..
2015:05:12-01:16:11 asg220 pluto[6296]: packet from ***.***.***.***:500: Informational Exchange is for an unknown (expired?) SA
..
2015:05:12-01:24:27 asg220 pluto[6296]: "S_REF_IpsSitFritzBbInter_0"[8] ***.***.***.***: deleting connection "S_REF_IpsSitFritzBbInter_0"[8] instance with peer ***.***.***.*** {isakmp=#0/ipsec=#0}
2015:05:12-01:24:27 asg220 pluto[6296]: "S_REF_IpsSitFritzAbtHomen_0"[5] ***.***.***.*** #49: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x2ae68a64) not found (maybe expired)
2015:05:12-01:24:27 asg220 pluto[6296]: "S_REF_IpsSitFritzBbInter_0"[9] ***.***.***.*** #57: responding to Quick Mode
..
2015:05:12-07:37:24 asg220 pluto[6296]: "S_REF_IpsSitFritzBbInter_0"[327] ***.***.***.*** #472: cannot route -- route already in use for "S_REF_IpsSitFritzBbInter_0"
2015:05:12-07:38:04 asg220 pluto[6296]: "S_REF_IpsSitFritzBbInter_0"[327] ***.***.***.*** #472: max number of retransmissions (2) reached STATE_QUICK_R1
..


@ 1:00am we do the 24h disconnect.

We didnt any changes on UTM and AVM Fritzboxes, looks like the UTM stops flush the VPN Connections and block them for renew.

Only a full restart of UTM fix it up. [:@]

Some Info:
- UTM220, static IP / no disconnect
- 4 Site2Site IPSec (2 of them static IP, work like a charm)
- 2 aDSL dynamic IP Fritzboxes, FQDN over myfritz.net / 24h disconnect
- 1 aDSL static IP Fritzbox / 24h disconnect
- 1 Cable static IP Fritzbox / no disconnect


Maybe someone can do a approach in the right direction.

Greetings, DBP


This thread was automatically locked due to age.
  • 0
    Hi, DBP, and welcome to the User BB!

    Please show the 30 lines before the one above at 01:16:11.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi,

    Just to confirm, you restart the dynamic IP firewall or the static IP firewall ?
  • 0 in reply to pedja
    Hi,

    Just to confirm, you restart the dynamic IP firewall or the static IP firewall ?


    We restart the UTM220 with static IP, Powercycle the AVM Fritzboxes dosnt help. 

    2015:05:12-00:02:20 asg220 pluto[6296]: packet from CABLE.IP:500: received Vendor ID payload [XAUTH]

    2015:05:12-00:02:20 asg220 pluto[6296]: packet from CABLE.IP:500: received Vendor ID payload [Dead Peer Detection]

    2015:05:12-00:02:20 asg220 pluto[6296]: "S_REF_IpsSitFritzAbtHomen_0"[1] CABLE.IP #40: responding to Main Mode from unknown peer CABLE.IP

    2015:05:12-00:02:21 asg220 pluto[6296]: "S_REF_IpsSitFritzAbtHomen_0"[1] CABLE.IP #40: Peer ID is ID_IPV4_ADDR: 'CABLE.IP'

    2015:05:12-00:02:21 asg220 pluto[6296]: "S_REF_IpsSitFritzAbtHomen_0"[1] CABLE.IP #40: sent MR3, ISAKMP SA established

    2015:05:12-00:02:21 asg220 pluto[6296]: "S_REF_IpsSitFritzAbtHomen_0"[1] CABLE.IP #41: responding to Quick Mode

    2015:05:12-00:02:21 asg220 pluto[6296]: "S_REF_IpsSitFritzAbtHomen_0"[1] CABLE.IP #41: IPsec SA established {ESP=>0xff163fb9 0x6b44f33b 0x00007f70 0x381aeaef 0x154fd992 0x0000a945 


    I hide the IPs with Text.
  • 0
    cannot route -- route already in use

    Did someone add a subnet that conflicts with an existing one in the tunnel?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    UTM 10.10.0.254

    192.168.174.0/24
    192.168.146.0/24
    192.168.1.0/24
    10.10.10.0/24

    should be fine, i guess?
  • 0
    In your place, I would check the IPsec logs to see exactly when this started and then go to the 'Management' screen and check to see what modifications were made at that time.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello,

    thats the creepy part of this Story, no one did something, because it worked at this time without any maintenance.

    What i can see, is that the UTM starts to write confuses stuff into log.

    Example:

    2015:05:15-01:06:07 asg220 pluto[6223]: "S_REF_IpsSitFritzHolzg_0"[1] 5.5.5.5 #83: received Vendor ID payload [Dead Peer Detection]

    ^ the 5.5.5.5 ip isnt the right for the S_REF Object


    2015:05:15-01:39:40 asg220 pluto[6223]: "S_REF_IpsSitFritzAbtHomen_0"[4] 6.6.6.6 #91: received Delete SA payload: deleting ISAKMP State #90

    ^ the 6.6.6.6 is normally for the S_REF_IpsSitFritzHolzg_0 Object

    Ok, i m not trained to read the LOG, but this looks not correct, for your german train: nicht in ordnung [;)]
  • 0
    Ich stimme zu - etwas ist nicht in Ordnung.

    I don't suspect changes in the definitions of the IPsec tunnels.  I suspect other changes that caused a conflict with the IPsec tunnels.

    It's probably time to get Sophos Support involved.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML