Sophos AP/APX users may experience issues registering to Sophos Central. More info available here: Central Wireless
We'd love to hear about it! Click here to go to the product suggestion community
We have a site to site VPN set up between two of our sites. Both sites are using UTMs. The VPN has worked perfectly for months. No changes have been made.In the last couple of weeks the VPN has dropped four times for less than a minute. The error logged is:/var/log/ipsec.log:2019:08:12-00:38:12 perimeter1-1 pluto: ERROR: asynchronous network error report on eth6 for message to 10.10.39.7 port 500, complainant 10.10.39.1: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Our ISP hasn't found anything, but I don't trust them.Can anyone tell me what's going on?
This can be due to either a routing conflict for the Peer IP of IPSec tunnel or if there's any DNAT configured for the Port 500 or 4500 for the WAN IP on which IPSec tunnel is configured.
In reply to Jaydeep:
There are no manual routing entries or NAT involved on either end.
I'm confused, Steve - do you have 10. public IPs? Is this site-to-site or Remote Access?
Cheers - Bob
In reply to BAlfson:
It's site-to-site over an internal circuit.We have a customer that required everything to be encrypted even though it's on our private LAN.
In reply to SteveHart:
Has there been a carrier protocol change? From ipV4 to CGNAT?
And there's only an Ethernet cable connecting the two VPN endpoints - no other devices in between?
Each UTM is directly connected via Ethernet to a Comcast router. The routers are connected via private fiber.
Do you have a fixed IPV4 Adress on both sides or ipv6 and ipv4 is tunneld over ipv6? Must be visible on the routers. I dont understand the meaning of "It's site-to-site over an internal circuit".
In reply to piddae:
Dead Pear Detetction acitvated?
nat tarversal and keep alive settings?
Helpfull would be a complete ipsec logging on both sides to see whats going around before vpn goes down.
I guess I would suspect one of the two Comcast Routers, Steve.
This is just a WAG, but you might try increasing the UDP timeout in both UTMs from 30 to 60:
cc set packetfilter timeouts ip_conntrack_udp_timeout 45
What does Sophos Support have to say about this?