Sophos UTM VPN "malformed payload in packet"

Question

Hi Guys, 
 
 I have a site to site IPSEC VPN between two Sophos UTM, both on version 9.700-5. This VPN has more than one year and has been running good, stable, fine, until last night when out of the sudden, it came down. I have not touched in any form, any of these two devices lately (not even logged on them). 
 Sophos A - this is the remote device. i now have only ssh access on it. 
 Sophos B - the local device on which i have full access. 
 When the problem appeared, it seems Sophos A does not respond to the user portal anymore. I can ssh into it on the wan interface but i cannot access its gui because it is bounded to the LAN interface, or so i remember. 
 Checking the VPN logs on Sophos B, i see: 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #238: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #238: starting keying attempt 195 of an unlimited number 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #239: initiating Main Mode to replace #238 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #239: received Vendor ID payload [strongSwan] 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #239: ignoring Vendor ID payload [Cisco-Unity] 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #239: received Vendor ID payload [XAUTH] 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #239: received Vendor ID payload [Dead Peer Detection] 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #239: received Vendor ID payload [RFC 3947] 
 2020:02:13-08:41:39 robfw1 pluto[10114]: "S_VPN-BUC" #239: enabling possible NAT-traversal with method 3 
 2020:02:13-08:41:40 robfw1 pluto[10114]: "S_VPN-BUC" #239: NAT-Traversal: Result using RFC 3947: no NAT detected 
 2020:02:13-08:41:40 robfw1 pluto[10114]: "S_VPN-BUC" #239: next payload type of ISAKMP Hash Payload has an unknown value: 119 
 2020:02:13-08:41:40 robfw1 pluto[10114]: "S_VPN-BUC" #239: malformed payload in packet 
 2020:02:13-08:41:50 robfw1 pluto[10114]: "S_VPN-BUC" #239: discarding duplicate packet; already STATE_MAIN_I3 
 2020:02:13-08:41:50 robfw1 pluto[10114]: "S_VPN-BUC" #239: next payload type of ISAKMP Hash Payload has an unknown value: 149 
 2020:02:13-08:41:50 robfw1 pluto[10114]: "S_VPN-BUC" #239: malformed payload in packet 
 2020:02:13-08:42:10 robfw1 pluto[10114]: "S_VPN-BUC" #239: discarding duplicate packet; already STATE_MAIN_I3 
 2020:02:13-08:42:10 robfw1 pluto[10114]: "S_VPN-BUC" #239: next payload type of ISAKMP Hash Payload has an unknown value: 181 
 2020:02:13-08:42:10 robfw1 pluto[10114]: "S_VPN-BUC" #239: malformed payload in packet 
 
 What i did: 
 - i thought maybe somehow the password has a problem (following other similar threads), but i compared the password from the remote gateway on Sophos A (from cli) with the one from Sophos B and they match. 
 - i rebooted both devices - no fix 
 - i disabled DPD and NAT-T on Sophos B -no fix 
 - modified MTU from 1500 to 1380 on Sophos B - no fix 
 - reverted all the above to initial config - no fix 
 
 I believe the problem is on Sophos A, but i don't know how to tshoot it. 
 
 Guys, any ideea? 
 
 Thx, 
 Radu

panicos · Accepted Answer

Later on, i managed to connect to the Sophos A device via l2tp and thus i was able to access the Webadmin and saw there that my Home License expired, thus disabling most of the features. Renewed it and now all is good.
How could i had seen this problem from the cli? In which logs should've i checked this?