i run several ipsec tunnel for years without any problems... all runs fine with 9.355-1
since the update to 9.402-7 all ipsec tunnels are down every morning.
i checked the ipsec-logs and found out that after my dsl-lines reconnect the tunnels will not come up again.
i have to turn them off and on and then all works....
anyone can help?
I spend several hours to the same problem
Site 1: SG135 Appliance 9.402-7 (initiate connection)
Site 2: UTM120 Appliance 9.402-7 (listen)
Same Problem, Site-to-Site IPSec works with 9.355-1 and is broken every morning after DSL reconnect since update to 9.402-7
Update to 9.402-7 was scheduled to night of 2016/05/11 to both appliances, one on 3:00 the second on 4:00 and since this update the VPN tunnel fails to come up again after reconnect DSL line.
It's not 100% possible to bring up the tunnel again with manunal switch off and on again the IPSec connection.
Sometimes it helps to stop/start the IPSec connection, but sometimes it works, somtimes I have to reconnect 1-5 times and sometimes the connection doesn't come up again after 10 tries
My way to bring back the tunnel: restart UTM every morning before working hours ...
You can force the problem if you do a "reconnect" on the Interface (for me: ETH1 ADSL with static IP) which uses the IPSec Site-to-Site connection. After a reconnect the VPN tunnel stays down
Workaround for me since serveral debug tries with the log file entries show no solutions for me:
Site 1: go back to 9.355-1 (download 9.355-1 ISO , new install and use a backup .abf to get to the former state)
Since this rollback to 9.355-1 the IPSec Site-to-Site VPN tunnel works with no problems like the years before
any help?
Hi,
Please post IPsec logs.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Here are some logs from my life production system:
i have pressed "reconnect" on a dsl line (DSL16K_1). got 2 IPSEC Tunnels on this interface (S_VPN_EC and S_VPN_UHAB). both going down and will not come up again.
only way to get them up again:
shut down ALL IPSEC-Tunnels and get them on again (also the ones not on the reconnecting interface) or to turn some debug on and off (which results in an ipsec restart i think...
hope that helps you to find the error...
greets
zaphod
___________________________________________
Home: Zotac CI321 (8GB RAM / 120GB SSD) with latest Sophos UTM
Work: 2 SG430 Cluster / many other models like SG105/SG115/SG135/SG135w/...
Same Problem here with two UTMs and two VDSL lines, one might be an ADSL.
Are you guys using a Zyxel router as your VDSL Modem? A customer mentioned an forum post were this was an issue with the modem firmware and the new utm update. I couldnt update the Zyxel Modem yet to test.
I changed the s2s tunnel from PSK to Cert, that didn't help either, the customer said the only way to bring the tunnel up is to reboot the UTM in HQ were the VDSL line is.
Both sides are working through an dyndns account and do not have static IPs as far as I know
The logs are kinda quiet, not a lot going on in my opinion?!
HQ:
------------------------------------------------------------------------------------
Remote site:
Are you guys use multipathing? I can only bring the tunnel back up when I reboot the UTM in HQ, that UTM has two Uplinks, one ADSL and one VDSL, the VDSL is used for the ipsec and has an dynamic IP (Telekom DSL)
psec_starter[13631]: no default route - cannot cope with %defaultroute!!!
https://community.sophos.com/products/unified-threat-management/f/58/p/77077/297383#297383
I also use multipathing. I have a 30 day trial SG135 which is used as my productive system and my old UTM120 which is used as testsystem to try the 9.403, so I can try some configs.
Ext. Interface - Telekom ADSL, static IP (used for IPsec site2site vpn)
Ext. Interface1 - 2. Telekom ADSL, static IP
Ext. Interface2 - m-net ADSL, dynamic IP
I tried to config it like described in the Sophos knowledgbase ID 118975
https://www.sophos.com/de-de/support/knowledgebase/118975.aspx
I have only a 1:1 IPsec connection, but I tried not to use my Ext. Interface but the Uplink Interfaces and added a multipath rule on top: BranchOfficeNetwork --> Any Service --> MyInternal Network --> by connection -- Balanced to: Uplink Interfaces
--> It also worked - until I did a "reconnect" on my Ext.Interface
The only way to bring the tunnel back without a UTM restart is to change the last ribbon in the IPsec section (Fehlersuche) and change one of the debug level checkboxes. This brings back the tunnel after a reconnect.
My productive system stays on 9.355 since no solution until no ...
