This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Verbindungsabrüche Site2Site VPN

Hallo alle zusammen,

seit einiger Zeit häufen sich die Abbrüche unser VPN Verbindung Sophos <=> Cisco via einer Telekom CompanyConnect Leitung. Anbei das Log des letzten Abbruchs von

heute Morgen. An manchen Tagen passiert das bis zu 10x auf den Tag verteilt :-(

//

018:01:05-08:16:10 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunbielefe_0" #7936: initiating Main Mode to replace #7934

2018:01:05-08:29:10 utm-pe-mg pluto[5757]: ERROR: asynchronous network error report on eth3 for message to xxxxxxx port 500, complainant xxxxxx: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]

2018:01:05-08:29:20 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunbielefe_0" #7936: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message

2018:01:05-08:29:20 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunbielefe_0" #7936: starting keying attempt 26 of an unlimited number

2018:01:05-08:29:20 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunbielefe_0" #7937: initiating Main Mode to replace #7936

2018:01:05-08:29:27 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunbielefe2_0" #7874: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x20ad50a9) not found (maybe expired)

2018:01:05-08:29:28 utm-pe-mg pluto[5757]: packet from xxxxxxxx:500: ignoring Vendor ID payload [810fa565f8ab14369105d706fbd57279]

2018:01:05-08:29:28 utm-pe-mg pluto[5757]: packet from xxxxxxxxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

2018:01:05-08:29:28 utm-pe-mg pluto[5757]: packet from xxxxxxxxx:500: received Vendor ID payload [RFC 3947]

2018:01:05-08:29:28 utm-pe-mg pluto[5757]: packet from xxxxxxxxx:500: received Vendor ID payload [Dead Peer Detection]

2018:01:05-08:29:28 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7938: responding to Main Mode

2018:01:05-08:29:28 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7938: ignoring Vendor ID payload [KAME/racoon]

2018:01:05-08:29:28 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7938: NAT-Traversal: Result using RFC 3947: no NAT detected

2018:01:05-08:29:29 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7938: Peer ID is ID_IPV4_ADDR: xxxxxxxxx

2018:01:05-08:29:29 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7938: Dead Peer Detection (RFC 3706) enabled

2018:01:05-08:29:29 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7938: sent MR3, ISAKMP SA established

2018:01:05-08:29:29 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7938: ignoring informational payload, type IPSEC_INITIAL_CONTACT

2018:01:05-08:29:30 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7939: responding to Quick Mode

2018:01:05-08:29:30 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7939: IPsec SA established {ESP=>0x0ace0ca0 <0x726b87a5 DPD}

2018:01:05-08:30:40 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunddorfne_0" #7933: DPD: Phase1 state #7933 has been superseded by #7938 - timeout ignored

2018:01:05-08:36:08 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunlemgone_0" #7940: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #7932 {using isakmp#7917}

2018:01:05-08:36:08 utm-pe-mg pluto[5757]: "S_REF_IpsSitTunlemgone_0" #7940: sent QI2, IPsec SA established {ESP=>0x85b885ba <0x2525375b DPD}

 //

Hat einer hier eine Idee, wo der Fehler sein könnte??

Vielen Dank im Voraus

Michael



This thread was automatically locked due to age.
  • Hallo Michael,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    What do you see when you experience these "Abbrüche" - is the tunnel still up but no data passes?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hallo Bob,

    Ja, der Status in der UTM steht weiter auf gruen aber der Zugriff auf einen Terminalserver via RDP

    bricht ab bzw. will sich neu verbinden.

     

    Gruß

    Michael

  • That sounds like the anti-replay setting.  You may need to get Sophos Support involved and immediately request escalation.  First, what happens if you disable anti-replay on the Cisco or, if already disabled, you enable it?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA