This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN going down - No route to host

We have a site to site VPN set up between two of our sites. Both sites are using UTMs. The VPN has worked perfectly for months. No changes have been made.

In the last couple of weeks the VPN has dropped four times for less than a minute. The error logged is:
/var/log/ipsec.log:2019:08:12-00:38:12 perimeter1-1 pluto[7754]: ERROR: asynchronous network error report on eth6 for message to 10.10.39.7 port 500, complainant 10.10.39.1: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]

Our ISP hasn't found anything, but I don't trust them.

Can anyone tell me what's going on?

This thread was automatically locked due to age.

Parents

0 BAlfson over 4 years ago

I'm confused, Steve - do you have 10. public IPs? Is this site-to-site or Remote Access?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 SteveHart over 4 years ago in reply to BAlfson

It's site-to-site over an internal circuit.

We have a customer that required everything to be encrypted even though it's on our private LAN.
Cancel
Vote Up 0 Vote Down

Cancel
0 piddae over 4 years ago in reply to SteveHart

Has there been a carrier protocol change? From ipV4 to CGNAT?
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to SteveHart

And there's only an Ethernet cable connecting the two VPN endpoints - no other devices in between?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 SteveHart over 4 years ago in reply to BAlfson

Each UTM is directly connected via Ethernet to a Comcast router. The routers are connected via private fiber.
Cancel
Vote Up 0 Vote Down

Cancel
0 piddae over 4 years ago in reply to SteveHart

Do you have a fixed IPV4 Adress on both sides or ipv6 and ipv4 is tunneld over ipv6? Must be visible on the routers. I dont understand the meaning of "It's site-to-site over an internal circuit".
Cancel
Vote Up 0 Vote Down

Cancel
0 piddae over 4 years ago in reply to piddae

Dead Pear Detetction acitvated?
Cancel
Vote Up 0 Vote Down

Cancel
0 piddae over 4 years ago in reply to piddae

nat tarversal and keep alive settings?
Cancel
Vote Up 0 Vote Down

Cancel
0 piddae over 4 years ago in reply to piddae

Helpfull would be a complete ipsec logging on both sides to see whats going around before vpn goes down.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to SteveHart

I guess I would suspect one of the two Comcast Routers, Steve.

This is just a WAG, but you might try increasing the UDP timeout in both UTMs from 30 to 60:

cc set packetfilter timeouts ip_conntrack_udp_timeout 45

What does Sophos Support have to say about this?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 4 years ago in reply to SteveHart

I guess I would suspect one of the two Comcast Routers, Steve.

This is just a WAG, but you might try increasing the UDP timeout in both UTMs from 30 to 60:

cc set packetfilter timeouts ip_conntrack_udp_timeout 45

What does Sophos Support have to say about this?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data