Problem with UTM 9 connection to Azure

Hi All,

We have UTM 9 and firmware version is 9.603-1.  We have established a VPN connection to Azure. We have already one other connection to our branch We could not find the reason but it starts to give duplicate message problems and then the connection is dropping with Azure.   It happend every 2-4 days. 

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to 168.63.44.99:500

2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) 2019:07:10-15:18:45 utm pluto[6401]: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to *:500

If vpn is working , there is no error message and everthing is working fine.

We are using policy based routing and we have tried to connect with Route based policy with Azure we could not connect the Azure. Microsoft says that, Route based policies are much stable compared to policay based route.

Can somebody suggest some resolution for this ? Thanks in advance.

Sedat EU 

  • Hi  

    Did you find anything in the logs from Azure? Also, it will require more logs to analyze this issue. Can you please share logs starting a min or two before the issue happened? That will throw some more light at the issue.

  • Hi Sedat,

    Unfortunately, Route Based is not compatible with the UTM and there aren't any workarounds (as will also need IKEv2).

    It looks like you may have a misconfiguration in the key lifetimes, have you confirmed all the settings? If you want to post your config, that would be helpful.

    Emile

  • In reply to EmileBelcourt:

     

    and the logs, it starts with duplicate messages and after 1-2 minutes, it drops the session and needs to restart to reconnect or restart the connection.

     

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: responding to Main Mode

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Peer ID is ID_IPV4_ADDR: 'AzureWANIP'

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sent MR3, ISAKMP SA established

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: cannot respond to IPsec SA request because no connection is known for 192.168.0.0/16===LocalWANIP[LocalWANIP]...AzureWANIP[AzureWANIP]===10.4.0.0/16

    2019:07:07-05:05:32 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_ID_INFORMATION to AzureWANIP:500

    2019:07:07-05:05:33 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:33 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #139 {using isakmp#140}

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: sent QI2, IPsec SA established {ESP=>0x10b00906 <0x5a762f83}

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)

    2019:07:07-05:05:35 utm pluto[6401]: "S_REF_IpsSitAzure_0" #141: sending encrypted notification INVALID_PAYLOAD_TYPE to AzureWANIP:500

    2019:07:07-05:05:37 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:37 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:44 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:44 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:05:59 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:05:59 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:14 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:14 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: received Delete SA payload: replace IPSEC State #141 in 10 seconds

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [RFC 3947]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [FRAGMENTATION]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [Vid-Initial-Contact]

    2019:07:07-05:06:29 utm pluto[6401]: packet from AzureWANIP:500: ignoring Vendor ID payload [IKE CGA version 1]

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: responding to Main Mode

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #140: received Delete SA payload: deleting ISAKMP State #140

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Peer ID is ID_IPV4_ADDR: 'AzureWANIP'

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sent MR3, ISAKMP SA established

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: cannot respond to IPsec SA request because no connection is known for 192.168.0.0/16===LocalWANIP[LocalWANIP]...AzureWANIP[AzureWANIP]===10.4.0.0/16

    2019:07:07-05:06:29 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_ID_INFORMATION to AzureWANIP:500

    2019:07:07-05:06:30 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:30 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:31 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:31 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)

    2019:07:07-05:06:34 utm pluto[6401]: "S_REF_IpsSitAzure_0" #142: sending encrypted notification INVALID_MESSAGE_ID to AzureWANIP:500

    2019:07:07-05:06:39 utm pluto[6401]: "S_REF_IpsSitAzure_0" #143: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #141 {using isakmp#142}

    2019:07:07-05:06:39 utm pluto[6401]: "S_REF_IpsSitAzure_0" #143: IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag

  • Hi Sedat and welcome to the UTM Community!

    Is the UTM behind a NAT?

    Cheers - Bob

  • In reply to BAlfson:

    Nope sophos is connecting directly to internet and the other side is Azure Virtual network gateway and policy based connection.

    Thanks

  • In reply to BAlfson:

    Nope sophos is connecting directly to internet and the other side is Azure Virtual network gateway and policy based connection.

    Thanks

  • In reply to Sedat EKSI:

    This could work.

    Just to be sure, i talked about this in context XG in this Thread.

    https://community.sophos.com/products/xg-firewall/f/vpn/113212/anyone-has-experience-on-vpn-ipsec-site-to-site-beetwen-xg-17-x-and-azure/405616

    Maybe this KBA needs a Update: https://community.sophos.com/kb/en-us/126995

     Could you take a look? 

  • In reply to LuCar Toni:

    HI All,

    Thanks for your all support. I want to say some important things as I think.

    1. The connection establishes and works for at least 2 days without problems. Minimum 3 days up to now. So key exchanges are working properly, maksimum 27000 seconds as you can see configuration screenshot

    2. Route based VPN is not supported by UTM as far as I know. It is not written in any official document, Actually ı could nıt find for reverse but we tried there was no log about error; UTM says it is going to connection after some trials like 20 as I guess it leaves the connection but there is no real explanation in which stage the the problem is.

    3. UTM is not listed in Microsoft supported VPN device list

    Sophos is very responsive, they are also taking care of case. Meanwhile Any support is welcome and thanks again

    Regards

    Sedat

  • In reply to Sedat EKSI:

    Lets take a step back.

    UTM does not support Route based VPN "on UTM site".

    Route based VPN and Policy Based VPN are techniques to route your VPN on your device. It has literally no impact on the other site of the VPN tunnel. 

    SO basically you could connect a Route based VPN gateway to a UTM (Policy Based) and it perfectly work. 

    It is important to understand, that the IPsec SAs has to build up, and the traffic will be routed. 

     

    Azure now, has some kind of limitation. 

    So basically if you want to use the Route Based VPN in Azure, you have to use IKEv2, which is not supported by UTM. So you have to use the Policy based VPN method on Azure site to build up a tunnel, because policy based supports IKEv1. 

     

    Route based VPN does not have only Advantages. You would create Interface for each Tunnel. 

    Take a look at the bigger deployments of Route based VPNs with X.000 Tunnels. 

  • In reply to LuCar Toni:

    Lucar you did very good help again. I see you are very active in everywherw.

    I did not want to say UTM does not support route baded vpn. I told in limitation about my case which I am trying to connect sophos and azure with basic vpn functionality.

    I eill search for x.000 tunnels , ı havrnt used for many years.